# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------
# MALWARE-CNC RULES
#-------------------

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /message.php?subid="; flow:to_server,established; content:"/message.php?subid="; nocase; http_uri; content:"version=_nn2"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16925; classtype:trojan-activity; sid:16925; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - MGWEB.php?c=TestUrl"; flow:to_server,established; content:"MGWEB.php?c=TestUrl"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16927; classtype:trojan-activity; sid:16927; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - gate.php?guid="; flow:to_server,established; content:"gate.php?guid="; nocase; http_uri; content:"stat=ONLINE"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16929; classtype:trojan-activity; sid:16929; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - count.asp?mac="; flow:to_server,established; content:"count.asp?mac="; nocase; http_uri; content:"os=Windows"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16930; classtype:trojan-activity; sid:16930; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - ucsp0416.exe?t="; flow:to_server,established; content:"ucsp0416.exe?t="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16911; classtype:trojan-activity; sid:16911; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /s1/launcher/update/Update/data/"; flow:to_server,established; content:"/s1/launcher/update/Update/data/"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16921; classtype:trojan-activity; sid:16921; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - count_log/log/boot.php?p="; flow:to_server,established; content:"count_log/log/boot.php?p="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16913; classtype:trojan-activity; sid:16913; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /search.php?username=coolweb07&keywords="; flow:to_server,established; content:"/search.php?username=coolweb07&keywords="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16923; classtype:trojan-activity; sid:16923; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF"; flow:to_server,established; content:"/MNG/Download/?File=AZF"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16915; classtype:trojan-activity; sid:16915; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - feedbigfoot.php?m="; flow:to_server,established; content:"feedbigfoot.php?m="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16931; classtype:trojan-activity; sid:16931; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - net/cfg2.bin"; flow:to_server,established; content:"net/cfg2.bin"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16912; classtype:trojan-activity; sid:16912; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /ekaterina/velika"; flow:to_server,established; content:"/ekaterina/velika"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16917; classtype:trojan-activity; sid:16917; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /tmp/pm.exe?t="; flow:to_server,established; content:"/tmp/pm.exe?t="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16919; classtype:trojan-activity; sid:16919; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - strMode=setup&strID=pcvaccine&strPC="; flow:to_server,established; content:"strMode=setup&strID=pcvaccine&strPC="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16926; classtype:trojan-activity; sid:16926; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /root/9 frt.rar"; flow:to_server,established; content:"/root/9"; nocase; http_uri; content:".rar"; nocase; http_uri; pcre:"/\/root\/9\d\d\/frt\d\.rar/Ui"; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16933; classtype:trojan-activity; sid:16933; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - .bin?ucsp"; flow:to_server,established; content:".bin?ucsp"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16914; classtype:trojan-activity; sid:16914; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz"; flow:to_server,established; content:"/stat.html?0dPg0uXTraCSqrOdlrKpmpyorePbz"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16928; classtype:trojan-activity; sid:16928; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /DownLoadFile/BaePo/ver"; flow:to_server,established; content:"/DownLoadFile/BaePo/ver"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16920; classtype:trojan-activity; sid:16920; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /jarun/jezerce"; flow:to_server,established; content:"/jarun/jezerce"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16916; classtype:trojan-activity; sid:16916; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /cgi-bin/rd.cgi?f=/vercfg.dat?AgentID="; flow:to_server,established; content:"/cgi-bin/rd.cgi?f=/vercfg.dat?AgentID="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16922; classtype:trojan-activity; sid:16922; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /ultimate/fight"; flow:to_server,established; content:"/ultimate/fight"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16918; classtype:trojan-activity; sid:16918; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /qqnongchang/qqkj."; flow:to_server,established; content:"/qqnongchang/qqkj."; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16932; classtype:trojan-activity; sid:16932; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /inst.php?fff="; flow:to_server,established; content:"/inst.php?fff="; nocase; http_uri; content:"coid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16924; classtype:trojan-activity; sid:16924; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /MNG/Download/?File=AZF DATADIR Download"; flow:to_server,established; content:"/MNG/Download/?File=AZF:|7C|DATADIR|7C|Download"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17907; classtype:trojan-activity; sid:17907; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /winhelper.exe"; flow:to_server,established; content:"/winhelper.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17911; classtype:trojan-activity; sid:17911; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /?getexe=loader.exe"; flow:to_server,established; content:"/?getexe=loader.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17902; classtype:trojan-activity; sid:17902; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /LjBin/Bin.Dll"; flow:to_server,established; content:"/LjBin/Bin.Dll"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17914; classtype:trojan-activity; sid:17914; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - 2x/.*php"; flow:to_server,established; content:"2x/"; nocase; http_uri; pcre:"/2x\/.*php/Ui"; content:"p=ck"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17906; classtype:trojan-activity; sid:17906; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /7xdown.exe"; flow:to_server,established; content:"/7xdown.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17910; classtype:trojan-activity; sid:17910; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /1001ns/cfg3n.bin"; flow:to_server,established; content:"/1001ns/cfg3n.bin"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17915; classtype:trojan-activity; sid:17915; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /get2.php?c=VTOXUGUI&d="; flow:to_server,established; content:"/get2.php?c=VTOXUGUI&d="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-17898; classtype:trojan-activity; sid:17898; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /mybackup21.rar"; flow:to_server,established; content:"/mybackup21.rar"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17901; classtype:trojan-activity; sid:17901; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /ok.exe"; flow:to_server,established; content:"/ok.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17913; classtype:trojan-activity; sid:17913; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - 1de49069b6044785e9dfcd4c035cfd0c.php"; flow:to_server,established; content:"1de49069b6044785e9dfcd4c035cfd0c.php"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17905; classtype:trojan-activity; sid:17905; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /basic/cn3c2/c.*dll"; flow:to_server,established; content:"/basic/cn3c2/c"; nocase; http_uri; pcre:"/\/basic\/cn3c2\/c.*dll/Ui"; metadata:service http; reference:url,snort.org/rule_docs/1-17900; classtype:trojan-activity; sid:17900; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /images/css/1.exe"; flow:to_server,established; content:"/images/css/1.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17909; classtype:trojan-activity; sid:17909; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /reques0.asp?kind=006&mac="; flow:to_server,established; content:"/reques0.asp?kind=006&mac="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-17899; classtype:trojan-activity; sid:17899; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /dh/stats.bin"; flow:to_server,established; content:"/dh/stats.bin"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17916; classtype:trojan-activity; sid:17916; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /upopwin/count.asp?mac="; flow:to_server,established; content:"/upopwin/count.asp?mac="; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17912; classtype:trojan-activity; sid:17912; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /images/crypt_22.exe"; flow:to_server,established; content:"/images/crypt_22.exe"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17908; classtype:trojan-activity; sid:17908; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /zeus/config.bin"; flow:to_server,established; content:"/zeus/config.bin"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17917; classtype:trojan-activity; sid:17917; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - stid="; flow:to_server,established; content:"stid="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"hs=www.play65.com"; nocase; http_uri; metadata:service http; reference:url,snort.org/rule_docs/1-17903; classtype:trojan-activity; sid:17903; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - greenherbalteagirlholdingcup"; flow:established,to_server; content:"greenherbalteagirlholdingcup"; fast_pattern:only; http_uri; pcre:"/greenherbalteagirlholdingcup\d+\.gif/Ui"; metadata:service http; classtype:trojan-activity; sid:19256; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious uri config.ini on 3322.org domain"; flow:to_server,established; content:"/config.ini"; http_uri; content:"3322|2E|org"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f72abdad67d82e60386896efdbf84f2f7b560b54c161fb56033224882c51c220/analysis/; classtype:trojan-activity; sid:19493; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /setup_b.asp?prj="; flow:established,to_server; content:"/setup_b.asp?prj="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/\/setup_b\.asp\?prj=\d\x26pid=[^\r\n]*\x26mac=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f99c0b916ad6fea6888fb5029bbf9b7807d0879298efd896298e54f273234cbe/analysis/; classtype:trojan-activity; sid:19626; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /kx4.txt"; flow:established,to_server; content:"/kx4.txt"; depth:8; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1fba1aab5d68fea2d2f0386c63b108d389c2b93d0fbc08ff6071497bb7fb6e1d/analysis/; classtype:trojan-activity; sid:19638; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - AnSSip="; flow:established,to_server; content:"|26|AnSSip="; nocase; http_uri; pcre:"/\/\?id=\d+\x26AnSSip=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dd947d749f836851d8878b5d31dacb54110b4c4cafd7ebe8421dbe911a83d358/analysis/; classtype:trojan-activity; sid:19631; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /VertexNet/tasks.php?uid="; flow:established,to_server; content:"/VertexNet/tasks.php?uid=|7B|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8/analysis/; classtype:trojan-activity; sid:19633; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /r_autoidcnt.asp?mer_seq="; flow:established,to_server; content:"/r_autoidcnt.asp?mer_seq="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/\/r_autoidcnt\.asp\?mer_seq=\d[^\r\n]*\x26mac=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d8f85e320f2841da5319582ea1020f12e622def611728e5eb076477e3f0aa3b2/analysis/; classtype:trojan-activity; sid:19627; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - .sys.php?getexe="; flow:established,to_server; content:".sys.php?getexe="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ba84f21b6f1879c2d6ce7c600cfb077cee4a172c8e0711e4ce67b32d1b315e82/analysis/; classtype:trojan-activity; sid:19625; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /VertexNet/adduser.php?uid="; flow:established,to_server; content:"/VertexNet/adduser.php?uid=|7B|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0fa0ea73215d09048cb0245bd2c8e56135c86068e78332c482a1afc862688bb8/analysis/; classtype:trojan-activity; sid:19632; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /blog/images/3521.jpg?v"; flow:established,to_server; content:"/blog/images/3521.jpg?v"; nocase; http_uri; content:"&tq="; nocase; http_uri; pcre:"/\/blog\/images\/3521\.jpg\?v\d{2}=\d{2}\x26tq=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/adcf7ecf750059f9645dc9dc807f0d1f84df23f03096e41d018edcad725057b1/analysis/; classtype:trojan-activity; sid:19636; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /app/?prj="; flow:established,to_server; content:"/app/?prj="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/\/app\/\?prj=\d\x26pid=[^\r\n]+\x26mac=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/444383f00dfb73927bf8835d6c847aa2eba24fe6f0266f397e42fae186d53009/analysis/; classtype:trojan-activity; sid:19635; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - pte.aspx?ver="; flow:established,to_server; content:"/pte.aspx?ver="; nocase; http_uri; content:"&rnd="; nocase; http_uri; pcre:"/\/pte\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc/analysis/; classtype:trojan-activity; sid:19622; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /1cup/script.php"; flow:established,to_server; content:"/1cup/script.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/93ae95010d79fbd56f59ee74db5758d2bef5cde451bbbfa7be80fee5023632b5/analysis/; classtype:trojan-activity; sid:19628; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /install.asp?mac="; flow:established,to_server; content:"/install.asp?mac="; nocase; http_uri; content:"&mode"; nocase; http_uri; pcre:"/\/install\.asp\?mac=[A-F\d]{12}\x26mode/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f0e9e420544f116948b8dfd3d1ed8d156d323684fa6bd58cc87c0ee49320a21c/analysis/; classtype:trojan-activity; sid:19637; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - vic.aspx?ver="; flow:established,to_server; content:"/vic.aspx?ver="; nocase; http_uri; content:"&rnd="; nocase; http_uri; pcre:"/\/vic\.aspx\?ver=\d\.\d\.\d+\.\d\x26rnd=\d{5}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e280159c7c84dd2fa1d93687c355faf4a4ca643f12b4921283104915b341bfc/analysis/; classtype:trojan-activity; sid:19623; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /games/java_trust.php?f="; flow:established,to_server; content:"/games/java_trust.php?f="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.paretologic.com/malwarediaries/index.php/tag/zeus-bot-canada/; classtype:trojan-activity; sid:19778; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /160.rar - Win32/Morto.A"; flow:to_server,established; content:"/160.rar"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.f-secure.com/weblog/archives/00002227.html; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A; classtype:trojan-activity; sid:19882; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - optima/index.php"; flow:to_server,established; content:"/optima/index.php"; nocase; http_uri; content:"uid="; distance:0; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4f9ea5ce70a9a4cc132eb9635e0c5b7e6265ce94be1ff1e9cfd4198dbebd449b/analysis/; classtype:trojan-activity; sid:19913; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC URI - known scanner tool muieblackcat"; flow:to_server, established; content:"/muieblackcat"; nocase; http_uri; pcre:"/\/muieblackcat$/Ui"; metadata:policy security-ips drop, ruleset community, service http; reference:url,serverfault.com/questions/309309/what-is-muieblackcat; classtype:network-scan; sid:21257; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for runforestrun - JS.Runfore"; flow:to_server,established; content:"/runforestrun?sid="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; reference:url,urlquery.net/search.php?q=runforestrun; classtype:trojan-activity; sid:23473; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - ok.XXX4.net/meeting/hi.exe"; flow:to_server,established; content:"/meeting/hi.exe"; fast_pattern:only; http_uri; content:"ok.aa24.net"; http_header; metadata:impact_flag red, service http; reference:url,www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html; classtype:trojan-activity; sid:24019; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - hello.icon.pk"; flow:to_server,established; content:"hello.icon.pk"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html; classtype:trojan-activity; sid:24018; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/ms/check"; flow:to_server,established; content:"/cgi-bin/ms/check"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25397; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/ms/flush"; flow:to_server,established; content:"/cgi-bin/ms/flush"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25398; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/nt/th"; flow:to_server,established; content:"/cgi-bin/nt/th"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25394; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/win/cab"; flow:to_server,established; content:"/cgi-bin/win/cab"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25400; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/win/wcx"; flow:to_server,established; content:"/cgi-bin/win/wcx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25399; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/nt/sk"; flow:to_server,established; content:"/cgi-bin/nt/sk"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25395; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for /cgi-bin/dllhost/ac"; flow:to_server,established; content:"/cgi-bin/dllhost/ac"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:25396; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS suspicious .c0m.li dns query"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|c0m|02|li|00|"; distance:0; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:27737; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /botnet/tasks.php?uid="; flow:established,to_server; content:"/botnet/tasks.php?uid=|7B|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27981; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - /botnet/adduser.php?uid="; flow:established,to_server; content:"/botnet/adduser.php?uid=|7B|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27980; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - MSIE 9.0 in version 10 format"; flow:to_server,established; content:"User-Agent|3A 20|MSIE 9.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/aaf9b99314eb5201407bc82ee948c0a3a1c6b0a3288e230bc03e4c2a2b4287e3/analysis/; classtype:trojan-activity; sid:29999; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1123 (msg:"MALWARE-CNC User-Agent known malicious user-agent string Cactus"; flow:to_server,established; content:"User-Agent: Cactus/1.6"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/6d6340f3c4b14addfe5a6e815814483d5652a79886fccd305192c6669fb737e4/analysis/; classtype:trojan-activity; sid:31422; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - MSIE 7.0 na - Win.Trojan.Koobface"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| na|3B| )"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef420005a10d73b840604b517c4760400ccfc6c5baba0ae5d05ec6f88e56821e/analysis/; classtype:trojan-activity; sid:31543; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Downloader 1.8 - Win.Trojan.Graftor"; flow:to_server,established; content:"User-Agent|3A| Downloader 1.8|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0F45FB61856437CB3123C4DEAC68942C17ADC6534719E583F22E3DE1F31C1CA5/analysis/; classtype:trojan-activity; sid:31688; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Skypee - Win.Trojan.Rukypee"; flow:to_server,established; content:"User-Agent: Skypee"; fast_pattern:only; http_header; content:"REMOTE_USER:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; classtype:trojan-activity; sid:31949; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - MyProgramm - Win.Trojan.Rukypee"; flow:to_server,established; content:"User-Agent: MyProgramm"; fast_pattern:only; http_header; content:"REMOTE_USER:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; classtype:trojan-activity; sid:31948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - HttpCall - Win.Trojan.Rukypee"; flow:to_server,established; content:"User-Agent: HttpCall"; fast_pattern:only; http_header; content:"REMOTE_USER:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/74f22eced680ca26b767b4b07ba26b98536a385249d751586915b15b56509e0d/analysis/; classtype:trojan-activity; sid:31947; rev:3;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; within:36; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/8F2E8572E8FBEE81EDBD2921B231B76B9EBE9066666BB34331F4E68CFE3106C9/analysis/; classtype:trojan-activity; sid:32001; rev:3;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|1E|fxbingpanel.fareexchange.co.uk"; within:31; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/7EF4BBB5F6D2F4EDBAD680DA9BC4F1C0B4977EC79D2757F734B8D218469D54E1/analysis/; classtype:trojan-activity; sid:32000; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; within:23; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/B1347B740C5C0B69DF4A8C1393C700A4A8F8AAB6D6A13B3504C3DADE1C62CA60/analysis/; classtype:trojan-activity; sid:31999; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|12|venturesonsite.com"; within:19; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/15C0DDB7AC91084993195A507E32DB23D977E29850543318C9255B41D470A3BD/analysis/; classtype:trojan-activity; sid:31998; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|12|trudeausociety.com"; within:19; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/file/AA57728BE6899E1A89C189768559E989FF077CC4BF0C8E486D32C85D2D145760/analysis/; classtype:trojan-activity; sid:31997; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; within:18; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/8AEC5C0D03AB78D6B8F3D0DF8479B0CB1292F1EAB41C1CEBCF567502AF5596C0/analysis/; classtype:trojan-activity; sid:31996; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|11|acesecureshop.com"; within:18; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/49A063C4F0FF000AE961A52F364D322A65D656FBF24AE02036A0FD368187D6E1/analysis/; classtype:trojan-activity; sid:31995; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|10|*.999servers.com"; within:17; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/C2208F5CD87743E62883B289BAB6A7D69EF3CEE20FA7D8B90C3E06728BD7C052/analysis/; classtype:trojan-activity; sid:31994; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|0C|iclasshd.net"; within:14; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/BC3A56EBCD6C60682110227771196F3E99AF20F7836F534CBC71A005D913BFB7/analysis/; classtype:trojan-activity; sid:31993; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 03|"; content:"|0A|chatso.com"; within:11; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/15C0DDB7AC91084993195A507E32DB23D977E29850543318C9255B41D470A3BD/analysis/; classtype:trojan-activity; sid:31992; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - XAgent - Operation Pawn Storm"; flow:to_server,established; content:"User-Agent|3A| XAgent"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7313eaf95a8a8b4c206b9afe306e7c0675a21999921a71a5a16456894571d21d/analysis/; classtype:trojan-activity; sid:33513; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string crackim"; flow:to_server,established; content:"User-Agent: crackim"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34291; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkcpn"; flow:to_server,established; content:"User-Agent: Mozilla/4.0+(compatible|3B|+MSIE+6.0|3B|+Windows+NT+5.1|3B|+SV1|3B|+.NET+CLR+2.0.50727)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/cab7cd418b1114c277f84c4fe59d05bcf53babf64f16ebe86ab11641bd6bbd94/analysis/; classtype:trojan-activity; sid:34834; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - MyIE 3.01"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE"; nocase; http_header; content:" MyIE 3.01)|0D 0A|"; within:40; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; classtype:trojan-activity; sid:36131; rev:3;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:4;)
alert tcp $HOME_NET any -> any 53 (msg:"MALWARE-CNC DNS suspicious .bit tcp dns query"; flow:to_server,established; byte_test:1,!&,0xF8,4; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:42841; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Popup Stopper"; flow:to_server,established; content:"User-Agent|3A| Popup Stopper |28|BDLL|29| Agent"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5955; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"User-Agent|3A| SAH Agent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:5808; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Async HTTP Agent"; flow:to_server,established; content:"User-Agent|3A| Async HTTP Agent"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5900; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Casino"; flow:to_server,established; content:"User-Agent|3A| Casino"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.spyany.com/program/article_adw_rm_CasinoOnNet.html; reference:url,www.spywareguide.com/product_show.php?id=1254; classtype:successful-recon-limited; sid:5770; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - My Agent"; flow:to_server,established; content:"User-Agent|3A| My Agent"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,www.megasecurity.org/trojans/w/webdownloader/Webdownloader1.2.html; classtype:misc-activity; sid:5913; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Stubby"; flow:to_server,established; content:"User-Agent|3A| Stubby"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1095; classtype:misc-activity; sid:6274; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - CodeguruBrowser"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"CodeguruBrowser"; distance:0; fast_pattern; nocase; http_header; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1750; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088444; classtype:misc-activity; sid:6394; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Need2Find"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Need2Find"; fast_pattern; nocase; http_header; content:"Bar"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Need2Find\s+Bar/smiH"; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=2195; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096250; classtype:misc-activity; sid:6357; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SpywareStrike"; flow:to_server,established; content:"User-Agent|3A| SpywareStrike"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,www.adwarereport.com/mt/archives/000248.html; reference:url,www.spywareguide.com/product_show.php?id=2438; classtype:misc-activity; sid:6186; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - eAnthMngr"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"eAnthMngr"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*eAnthMngr/smiH"; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=398; classtype:misc-activity; sid:6366; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - MGS-Internal-Web-Manager"; flow:to_server,established; content:"User-Agent|3A| MGS-Internal-Web-Manager"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.f-secure.com/sw-desc/microgaming.shtml; reference:url,www.spywareremove.com/removeMicrogaming.html; classtype:misc-activity; sid:6362; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - snprtzdialno"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"snprtz|7C|dialno"; distance:0; fast_pattern; nocase; http_header; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=2446; classtype:misc-activity; sid:6491; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - IEP"; flow:to_server,established; content:"User-Agent|3A| IEP"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.sunbelt-software.com/research/threat_display.cfm?name=DSrch&threatid=41080; classtype:misc-activity; sid:7135; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Spy-Locked"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Spy-Locked"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Spy\-Locked/smiH"; metadata:policy security-ips drop, service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=SpyLocked&threatid=129037; classtype:misc-activity; sid:11313; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SpyDawn"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SpyDawn"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpyDawn/smiH"; metadata:policy security-ips drop, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453109604; classtype:misc-activity; sid:11308; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SpamBlockerUtility"; flow:to_server,established; content:"User-Agent|3A| SpamBlockerUtility 4.8.4"; fast_pattern:only; metadata:service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.hotbar.html; reference:url,www.spywareguide.com/product_show.php?id=481; classtype:misc-activity; sid:12371; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ZOMBIES_HTTP_GET"; flow:to_server,established; content:"User-Agent|3A| ZOMBIES_HTTP_GET"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PseudoRAT&threatid=10053; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079890; classtype:misc-activity; sid:12482; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SpeedRunner"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SpeedRunner"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SpeedRunner/smiH"; metadata:service http; reference:url,spywarefiles.prevx.com/RRDAJJ44598849/SPEEDRUNNER.EXE.html; reference:url,www.bleepingcomputer.com/startups/SpeedRunner-22778.html; classtype:successful-recon-limited; sid:13855; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - opera"; flow:to_server,established; content:"User-Agent|3A 20|opera|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.askmehelpdesk.com/spyware-viruses-etc/pop-up-http-rightonadz-biz-bc-123kah-php-151385.html; reference:url,www.nettrafficchat.com/showthread.php?t=1347; classtype:successful-recon-limited; sid:13932; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - PcPcUpdater"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"PcPcUpdater"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*PcPcUpdater/smiH"; metadata:service http; reference:url,malware-remover.com/pcprivacycleaner-removal-tool-pc-privacy-cleaner/; reference:url,www.xp-vista.com/spyware-removal/pcprivacycleaner-pc-privacy-cleaner-removal-instructions; classtype:misc-activity; sid:13931; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - DMFR"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"DMFR"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*DMFR\x0d\x0a/smH"; metadata:service http; reference:url,www.liveinternet.ru/users/murzilka2/; classtype:successful-recon-limited; sid:14057; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - CPUSH_HOMEPAGE"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"CPUSH_HOMEPAGE"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*CPUSH\x5fHOMEPAGE/smiH"; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453101269; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99; classtype:misc-activity; sid:14059; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Feat2 Updater"; flow:to_server,established; content:"User-Agent|3A| Feat2 Updater"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=2165; classtype:misc-activity; sid:5970; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - istsvc"; flow:to_server,established; content:"User-Agent|3A| istsvc"; fast_pattern:only; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=974; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453093992; classtype:misc-activity; sid:6281; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Browser Pal"; flow:to_server,established; content:"User-Agent|3A| Browser Pal"; fast_pattern:only; metadata:policy security-ips alert, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074906; classtype:successful-recon-limited; sid:5954; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Strip-Player"; flow:to_server,established; content:"User-Agent|3A| Strip-Player"; fast_pattern:only; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=455; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072548; classtype:misc-activity; sid:5824; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ZC-Bridge"; flow:to_server,established; content:"User-Agent|3A| ZC-Bridge"; fast_pattern:only; http_header; metadata:service http; classtype:successful-recon-limited; sid:5988; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - URLBlaze"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"URLBlaze"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*URLBlaze/smiH"; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=743; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073195; classtype:misc-activity; sid:7587; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - TeomaBar"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"TeomaBar"; distance:0; fast_pattern; nocase; http_header; metadata:policy security-ips alert, service http; reference:url,www.castlecops.com/tk731-Teoma_Bar.html; classtype:misc-activity; sid:5986; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - OSSProxy"; flow:to_server,established; content:"User-Agent|3A| OSSProxy"; fast_pattern:only; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=488; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43974; classtype:misc-activity; sid:5760; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Navhelper"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Navhelper"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*Navhelper/smiH"; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=607; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074928; classtype:misc-activity; sid:7832; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - iMeshBar"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"iMeshBar"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*iMeshBar/smiH"; metadata:policy security-ips alert, service http; reference:url,www.file.net/process/imeshbar.dll.html; classtype:misc-activity; sid:6364; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - EI"; flow:to_server,established; content:"User-Agent|3A| EI|0D 0A|"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5838; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Mirar_KeywordContentHijacker"; flow:to_server,established; content:"User-Agent|3A| Mirar_KeywordContent"; fast_pattern:only; http_header; metadata:service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Adware%3AWin32%2FMirar; classtype:misc-activity; sid:5992; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - FSW"; flow:to_server,established; content:"User-Agent|3A| FSW"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=478; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073903; classtype:misc-activity; sid:5774; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - shprrprt-cs-"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"shprrprt-cs-"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*shprrprt-cs-\d+\x2E\d+\x2E\d+/smiH"; metadata:policy security-ips alert, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:7195; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Spedia"; flow:to_server,established; content:"User-Agent|3A| Spedia"; fast_pattern:only; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=1693; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074295; classtype:misc-activity; sid:6341; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - BysooTB"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"BysooTB"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*BysooTB/smiH"; metadata:policy security-ips alert, service http; reference:url,www.360safe.com/elist.html; classtype:successful-recon-limited; sid:10179; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - smrtshpr-cs"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"smrtshpr-cs-"; distance:0; fast_pattern; nocase; http_header; metadata:policy security-ips alert, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_133312.htm; classtype:misc-activity; sid:6197; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - TM_SEARCH3"; flow:to_server,established; content:"User-Agent|3A| TM_SEARCH3"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=2645; classtype:misc-activity; sid:5978; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - MyBrowser"; flow:to_server,established; content:"User-Agent|3A| MyBrowser"; fast_pattern:only; metadata:impact_flag red, policy security-ips alert, service http; reference:url,www.spywareguide.com/product_show.php?id=613; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094103; classtype:misc-activity; sid:6270; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - adfsgecoiwnf"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"adfsgecoiwnf"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*adfsgecoiwnf/smiH"; metadata:policy security-ips drop, service http; reference:url,secunia.com/virus_information/22999/spam-maxy/; reference:url,vil.mcafeesecurity.com/vil/content/v_136735.htm; classtype:misc-activity; sid:7145; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ed2k edonkey2000 runtime detection"; flow:to_server,established; content:"User-Agent|3A| ed2k"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.fbmsoftware.com/spyware-net/Process/edonkey2000_exe/705/; classtype:misc-activity; sid:7511; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Arrow Search"; flow:to_server,established; content:"User-Agent|3A| Arrow Search"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.rt-software.co.uk/arrow_search/index.html; classtype:successful-recon-limited; sid:7537; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - malware"; flow:to_server,established; content:"malware"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*malware/miH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c/detection; classtype:trojan-activity; sid:16551; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Tear Application"; flow:to_server,established; content:"User-Agent|3A| Tear Application"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=48f1270338bc233839ffefa7e5eefde7; classtype:trojan-activity; sid:16497; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - EzReward"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"EzReward"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*EzReward/smiH"; metadata:service http; reference:url,research.sunbeltsoftware.com/threatdisplay.aspx?name=ezReward&threatid=144116; reference:url,www.sophos.com/security/analyses/adware-and-puas/ezreward.html; classtype:misc-activity; sid:13782; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - http protocol"; flow:to_server,established; content:"User-Agent|3A| http protocol"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074224; classtype:misc-activity; sid:7540; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAcc"; flow:to_server,established; content:"User-Agent|3A| SAcc"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfaccuracy.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094263; classtype:misc-activity; sid:6363; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - DigExt"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"DigExt"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*DigExt/smiH"; metadata:policy security-ips alert, service http; reference:url,codegravity.com/index.php/spyware; classtype:misc-activity; sid:7572; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ProxyDown"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ProxyDown"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*ProxyDown/smiH"; metadata:policy security-ips drop, service http; reference:url,www.zhongsou.com; classtype:misc-activity; sid:6354; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - WakeSpace"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WakeSpace"; fast_pattern; nocase; http_header; pcre:"/^User\x2DAgent\x3a[^\r\n]*WakeSpace/smiH"; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453118801; classtype:successful-recon-limited; sid:12723; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SysCleaner"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SysCleaner"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*SysCleaner/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123831; reference:url,spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm; classtype:successful-recon-limited; sid:13777; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - AdTools"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"AdTools"; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3a[^\r\n]*AdTools/iH"; metadata:policy security-ips drop, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082798; classtype:successful-recon-limited; sid:5901; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ActMon"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"ActMon"; distance:0; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3a[^\r\n]*ActMon/H"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1989; classtype:successful-recon-limited; sid:5789; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - MyWebSearchSearchAssistance"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"MyWebSearchSearchAssistant"; fast_pattern; nocase; http_header; metadata:policy security-ips drop, service http; reference:url,www.pchell.com/support/funbuddyicons.shtml; classtype:misc-activity; sid:5857; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SAH Agent"; flow:to_server,established; content:"SAH Agent"; fast_pattern:only; http_header; pcre:"/^User-Agent\s*\x3A[^\r\n]*SAH Agent/miH"; metadata:policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082; classtype:successful-recon-limited; sid:7187; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Pcast Live"; flow:to_server,established; content:"User-Agent|3A| Pcast Live"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098354; classtype:misc-activity; sid:7582; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - MyWay"; flow:to_server,established; content:"User-Agent|3A| "; nocase; http_header; content:"MyWay"; within:20; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3a[^\r\n]*MyWay/iH"; metadata:policy security-ips drop, service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5800; rev:18;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SQTR_VERIFY"; flow:to_server,established; content:"User-Agent|3A| SQTR_VERIFY"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,sidebar.squaretrade.com; reference:url,vil.mcafeesecurity.com/vil/content/v_137515.htm; classtype:successful-recon-limited; sid:6198; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - CPUSH_UPDATER"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"CPUSH_UPDATER"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*CPUSH\x5fUPDATER/smiH"; metadata:service http; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453101269; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031215-0744-99; classtype:misc-activity; sid:14060; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - iebar"; flow:to_server,established; content:"User-Agent|3A| iebar"; fast_pattern:only; http_header; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=1124; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094053; classtype:successful-recon-limited; sid:12674; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - RCleanT"; flow:to_server,established; content:"User-Agent|3A 20|RCleanT"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1cd6c0840b26201d5a4556c78ac0b775/detection; classtype:trojan-activity; sid:19047; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - RAV1"; flow:to_server,established; content:"User-Agent|3A 20|RAV1|2E|23"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/24736adee0f987224691a5aae44aac83/detection; classtype:trojan-activity; sid:19485; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ie 11.0 sp6"; flow:to_server,established; content:"User-Agent|3A| ie 11.0 sp6"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/ede2295e514de8ba02c6438149b5cdd1/detection; classtype:trojan-activity; sid:19570; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Mozilla"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b2bbf40a742468b710914920e043055c634a27301f235e2739c099da6638d6bd/analysis/; classtype:trojan-activity; sid:19786; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent TCYWinHTTPDownload"; flow:to_server,established; content:"User-Agent|3A| TCYWinHTTPDownload"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21526; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent ErrCode - W32/Fujacks.htm"; flow:established,to_server; content:"User-Agent|3A| ErrCode"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f9dc0803ea4634256eae73b2db61a3c5/detection; classtype:trojan-activity; sid:18247; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Search Toolbar 1.1"; flow:to_server,established; content:"User-Agent|3A| Search Toolbar 1.1|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18362; classtype:trojan-activity; sid:18362; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Opera/9.80 Pesto/2.2.15"; flow:to_server,established; content:"User-Agent|3A| Opera/9.80 Pesto/2.2.15|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18348; classtype:trojan-activity; sid:18348; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string WSEnrichment"; flow:to_server,established; content:"User-Agent|3A| WSEnrichment|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18343; classtype:trojan-activity; sid:18343; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string FPUpdater"; flow:to_server,established; content:"User-Agent|3A| FPUpdater|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18380; classtype:trojan-activity; sid:18380; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string GPUpdater"; flow:to_server,established; content:"User-Agent|3A| GPUpdater"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18351; classtype:trojan-activity; sid:18351; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Installer"; flow:to_server,established; content:"User-Agent|3A| Installer|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18373; classtype:trojan-activity; sid:18373; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string dwplayer"; flow:to_server,established; content:"User-Agent|3A| dwplayer|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18387; classtype:trojan-activity; sid:18387; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string random"; flow:to_server,established; content:"User-Agent|3A| random|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18356; classtype:trojan-activity; sid:18356; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string PinballCorp-BSAI/VER_STR_COMMA"; flow:to_server,established; content:"User-Agent|3A| PinballCorp-BSAI/VER_STR_COMMA|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18352; classtype:trojan-activity; sid:18352; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Agentcc"; flow:to_server,established; content:"User-Agent|3A| Agentcc|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18365; classtype:trojan-activity; sid:18365; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string iexp-get"; flow:to_server,established; content:"User-Agent|3A| iexp-get|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18369; classtype:trojan-activity; sid:18369; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Mozilla Windows MSIE"; flow:to_server,established; content:"User-Agent|3A| Mozilla Windows MSIE|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18370; classtype:trojan-activity; sid:18370; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string malware"; flow:to_server,established; content:"User-Agent|3A| malware|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18377; classtype:trojan-activity; sid:18377; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string iamx/3.11"; flow:to_server,established; content:"User-Agent|3A| iamx/3.11|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18337; classtype:trojan-activity; sid:18337; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string GPInstaller"; flow:to_server,established; content:"User-Agent|3A| GPInstaller"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18383; classtype:trojan-activity; sid:18383; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string RookIE/1.0"; flow:to_server,established; content:"User-Agent|3A| RookIE/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-18388; classtype:trojan-activity; sid:18388; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Trololo"; flow:to_server,established; content:"User-Agent|3A| Trololo|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18376; classtype:trojan-activity; sid:18376; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string qixi"; flow:to_server,established; content:"User-Agent|3A| qixi|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18392; classtype:trojan-activity; sid:18392; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Downloader1.1"; flow:to_server,established; content:"User-Agent|3A| Downloader1.1|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18361; classtype:trojan-activity; sid:18361; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string ClickAdsByIE 0.7.5"; flow:to_server,established; content:"User-Agent|3A| ClickAdsByIE 0.7.5|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18340; classtype:trojan-activity; sid:18340; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Flipopia"; flow:to_server,established; content:"User-Agent|3A| Flipopia|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18349; classtype:trojan-activity; sid:18349; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Shareaza"; flow:to_server,established; content:"User-Agent|3A| Shareaza|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18359; classtype:trojan-activity; sid:18359; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Our_Agent"; flow:to_server,established; content:"User-Agent|3A| Our_Agent|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18368; classtype:trojan-activity; sid:18368; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Se2011"; flow:to_server,established; content:"User-Agent|3A| Se2011|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18355; classtype:trojan-activity; sid:18355; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string vyre32"; flow:to_server,established; content:"User-Agent|3A| vyre32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18393; classtype:trojan-activity; sid:18393; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string QvodDown"; flow:to_server,established; content:"User-Agent|3A| QvodDown|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18371; classtype:trojan-activity; sid:18371; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string gbot/2.3"; flow:to_server,established; content:"User-Agent|3A| gbot/2.3|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18336; classtype:trojan-activity; sid:18336; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MyLove"; flow:to_server,established; content:"User-Agent|3A| MyLove|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18391; classtype:trojan-activity; sid:18391; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string HTTP Wininet"; flow:to_server,established; content:"User-Agent|3A| HTTP Wininet|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18375; classtype:trojan-activity; sid:18375; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Oncues"; flow:to_server,established; content:"User-Agent|3A| Oncues|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18360; classtype:trojan-activity; sid:18360; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string 3653Client"; flow:to_server,established; content:"User-Agent|3A| 3653Client|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18389; classtype:trojan-activity; sid:18389; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string opera/8.11"; flow:to_server,established; content:"User-Agent|3A| opera/8.11|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18354; classtype:trojan-activity; sid:18354; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string HTTPCSDCENTER"; flow:to_server,established; content:"User-Agent|3A| HTTPCSDCENTER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18385; classtype:trojan-activity; sid:18385; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string UtilMind HTTPGet"; flow:to_server,established; content:"User-Agent|3A| UtilMind HTTPGet|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18341; classtype:trojan-activity; sid:18341; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string msndown"; flow:to_server,established; content:"User-Agent|3A| msndown|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18364; classtype:trojan-activity; sid:18364; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string GPRecover"; flow:to_server,established; content:"User-Agent|3A| GPRecover"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18346; classtype:trojan-activity; sid:18346; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string AskInstallChecker"; flow:to_server,established; content:"User-Agent|3A| AskInstallChecker|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18379; classtype:trojan-activity; sid:18379; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string GabPath"; flow:to_server,established; content:"User-Agent|3A| GabPath|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18350; classtype:trojan-activity; sid:18350; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Macrovision_DM_2.4.15"; flow:to_server,established; content:"User-Agent|3A| Macrovision_DM_2.4.15"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18345; classtype:trojan-activity; sid:18345; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string OCRecover"; flow:to_server,established; content:"User-Agent|3A| OCRecover|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18394; classtype:trojan-activity; sid:18394; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Travel Update"; flow:to_server,established; content:"User-Agent|3A| Travel Update|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18381; classtype:trojan-activity; sid:18381; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string FPRecover"; flow:to_server,established; content:"User-Agent|3A| FPRecover|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18367; classtype:trojan-activity; sid:18367; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Setup Factory"; flow:to_server,established; content:"User-Agent|3A| Setup Factory|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18357; classtype:trojan-activity; sid:18357; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string NSISDL/1.2"; flow:to_server,established; content:"User-Agent|3A| NSISDL/1.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18338; classtype:trojan-activity; sid:18338; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string SurfBear"; flow:to_server,established; content:"SurfBear|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18374; classtype:trojan-activity; sid:18374; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string AHTTPConnection"; flow:to_server,established; content:"User-Agent|3A| AHTTPConnection|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18386; classtype:trojan-activity; sid:18386; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Delphi 5.x"; flow:to_server,established; content:"User-Agent|3A| Delphi 5.x|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18390; classtype:trojan-activity; sid:18390; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string GPRecover"; flow:to_server,established; content:"User-Agent|3A| GPRecover"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18363; classtype:trojan-activity; sid:18363; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string AutoIt"; flow:to_server,established; content:"User-Agent|3A| AutoIt|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18347; classtype:trojan-activity; sid:18347; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string OCInstaller"; flow:to_server,established; content:"User-Agent|3A| OCInstaller|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18366; classtype:trojan-activity; sid:18366; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string NSIS_INETLOAD"; flow:to_server,established; content:"User-Agent|3A| NSIS_INETLOAD"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18358; classtype:trojan-activity; sid:18358; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent request for known PUA user agent - SelectRebates"; flow:to_server,established; content:"User-Agent|3A| SelectRebates"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-18353; classtype:trojan-activity; sid:18353; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Duckling/1.0"; flow:to_server,established; content:"User-Agent|3A| Duckling/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18395; classtype:trojan-activity; sid:18395; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string NSIS_DOWNLOAD"; flow:to_server,established; content:"User-Agent|3A| NSIS_DOWNLOAD|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18342; classtype:trojan-activity; sid:18342; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string WMUpdate"; flow:to_server,established; content:"User-Agent|3A| WMUpdate|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18382; classtype:trojan-activity; sid:18382; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string AutoHotkey"; flow:to_server,established; content:"User-Agent|3A| AutoHotkey|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-18378; classtype:trojan-activity; sid:18378; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Microsoft Internet Explorer"; flow:to_server,established; content:"User-Agent|3A 20|Microsoft Internet Explorer|20 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; sid:19165; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent wget 3.0"; flow:to_server,established; content:"User-Agent|3A 20|wget|20 33 2E 30 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=a860efad636dba6ee1d270a1238a559c; classtype:trojan-activity; sid:19175; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string javasw - Trojan.Banload"; flow:established,to_server; content:"User-Agent|3A| javasw|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/46baf3e38915af501d8f3cefe3be048ba5a359134c9a35636400d04cf646360e/analysis/; classtype:trojan-activity; sid:19372; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string ErrCode"; flow:to_server,established; content:"User-Agent|3A 20|ErrCode|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/6617b6ebcfb381f0b3473e77ca67cb26db176a33d682b236154ac73e545a19b9/analysis/; classtype:trojan-activity; sid:19434; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string ErrorFix"; flow:to_server,established; content:"User-Agent|3A 20|Error|20|Fix"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f93aae75c25ae232a68f13e3b579f2ea/detection; classtype:trojan-activity; sid:19482; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string STORMDDOS - Backdoor.Win32.Inject.ctt"; flow:to_server,established; content:"User-Agent|3A 20|STORMDDOS"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/eb85f7ec383b4e76046cfbddd183d592/detection; classtype:trojan-activity; sid:19480; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent string MacProtector"; flow:to_server,established; content:"User-Agent|3A 20|MacProtector"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466/analysis/; classtype:trojan-activity; sid:19589; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent string INet - Win32.Virus.Jusabli.A"; flow:to_server,established; content:"/new.aspv0"; http_uri; content:"User-Agent|3A 20|INet|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2bfa66e414e3e4dbf27e05ead008caa02cfc46e3971731d18f64d7d7f6323acc/analysis/; classtype:trojan-activity; sid:19611; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Opera/8.89 - P2P-Worm.Win32.Palevo.ddm"; flow:to_server,established; content:"User-Agent|3A 20|Opera|2F|8|2E|89"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/bc58e841f8a43072da7b3c7647828cb8/detection; classtype:trojan-activity; sid:19756; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MYURL"; flow:to_server,established; content:"User-Agent|3A 20|MYURL|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/7c6df3935657357ac8c8217872d19845bbd3321a1daf9165cdec6d72a0127dab/analysis/; classtype:trojan-activity; sid:19934; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Hardcore Software"; flow:to_server,established; content:"User-Agent|3A| HardCore Software"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3089f01c9893116ac3ba54f6661020203e4c1ea72d04153af4a072253fcf9e68/analysis/; classtype:trojan-activity; sid:20039; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent string Baby Remote - Win32/Babmote.A"; flow:to_server,established; content:"User-Agent|3A| Baby Remote"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0712178d245f4e5a5d0cf6318bf39144/detection; classtype:trojan-activity; sid:20009; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Brontok user-agent outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02954713a5e0c00f50f118c130d55ebe5c9855813e0ea387f07504a530e1fff1/analysis/; classtype:trojan-activity; sid:20021; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string feranet/0.4 - Win32/Ferabsa.A"; flow:to_server,established; content:"User-Agent|3A| feranet/0.4|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/93c9b388af56cd66c55630509db05dfd/detection; classtype:trojan-activity; sid:20012; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - darkness"; flow:to_server,established; content:"User-Agent|3A| darkness"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30ae2284f7d211b8e448f4b011ee554d1303a0ef0163c4b664fe09d168b4441a/analysis/; classtype:trojan-activity; sid:20106; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - IPHONE"; flow:to_server,established; content:"User-Agent|3A| IPHONE"; http_header; pcre:"/IPHONE\d+.\d/sH"; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,www.virustotal.com/en/file/459c30e9568295b0d9a3e5092734bb7fb6137b9bb8d7cbf5486b62e48e36bd7c/analysis/; classtype:trojan-activity; sid:20105; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - InfoBot"; flow:to_server,established; content:"User-Agent|3A| InfoBot|2F|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0d624da9ec161f78c513cf6b0c85a069b65581cf09ba0a3315e2cac83a89a685/analysis/; classtype:trojan-activity; sid:20104; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - meterpreter"; flow:to_server,established; content:"User-Agent|3A| Meterpreter"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:trojan-activity; sid:20201; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string 0pera 10"; flow:to_server,established; content:"User-Agent|3A| 0pera 10"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/68c5adbc86aad8332455dcacbe624718d053d9078e99e149d6ecc69085a9e691/analysis/; classtype:trojan-activity; sid:20230; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Mozilla//4.0"; flow:to_server,established; content:"User-Agent|3A| Mozilla//4.0 [compatible"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/56afa16e9c6bb2a379d3cff3787d18fa0a7b5f3c3df712ac9702cad789d7eb29/analysis/; classtype:trojan-activity; sid:20231; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MBVDFRESCT"; flow:to_server,established; content:"User|2D|Agent|3A| MBVDFRESCT"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40/analysis/; classtype:trojan-activity; sid:20293; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string ZmEu - vulnerability scanner"; flow:established,to_server; content:"ZmEu"; fast_pattern:only; http_header; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*ZmEu/Hm"; metadata:service http; reference:url,ensourced.wordpress.com/2011/02/25/zmeu-attacks-some-basic-forensic/; reference:url,installation.m2osw.com/zmeu-attack; classtype:network-scan; sid:20988; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string API Guide test program"; flow:to_server,established; content:"User|2D|Agent|3A| API|2D|Guide test program"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/97ff0c3329bff100cae187cd91dc761495dc8927ebcc64bc04025134624951f6/analysis/; reference:url,www.virustotal.com/file/cb5df70973c7ccedd7ee76e4dcadc2b8b7abab51b1aa16bcac4dd57df9b99182/analysis/; classtype:trojan-activity; sid:21188; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Win32 Amti"; flow:to_server,established; content:"User-Agent|3A| Win32|2F|Amti"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5c1b20432a465cfc9f830a8507645b757a95aadcb1f0dd74a05b3c76daddeef9/analysis/; classtype:trojan-activity; sid:21175; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string DataCha0s"; flow:to_server, established; content:"User-Agent|3A 20|DataCha0s"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.internetofficer.com/web-robot/datacha0s/; classtype:network-scan; sid:21246; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Flag"; flow:to_server,established; content:"User-Agent|3A| Flag|3A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/43606116e03672d5c2bca7d072caa573d3fc2463795427d6f5abfa25403bd280/analysis/; classtype:trojan-activity; sid:21225; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Aldi Bot"; flow:to_server,established; content:"User-Agent|3A| Aldi Bot"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7b17e377e2c44bdad10828dffd9da193a08de4512b47e5caae8a654a9406bb98/analysis/; classtype:trojan-activity; sid:21206; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Morfeus Scanner"; flow:to_server, established; content:"User|2D|Agent|3A 20|Morfeus|20|Fucking|20|Scanner"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:network-scan; sid:21266; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Google Bot"; flow:to_server,established; content:"User-Agent|3A 20|Google Bot|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9b5ea51d036ed45e7665abb280e43459/detection; classtype:trojan-activity; sid:21278; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent ASafaWeb Scan"; flow:to_server,established; content:"User-Agent|3A| asafaweb.com"; fast_pattern:only; http_header; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - QvodDown"; flow:to_server,established; content:"User-Agent|3A| QvodDown"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d549699a392c6e45cff7ed3621849867/detection; classtype:trojan-activity; sid:21380; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string psi"; flow:to_server,established; content:"User-Agent|3A 20|psi|20|v"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b76f804853db8b602393a588385e3c091bfb81b312ca8d7228881fc9d8bdae6e/analysis/1330351984/; classtype:trojan-activity; sid:21455; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent YZF"; flow:to_server,established; content:"User-Agent|3A| YZF|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/92221d283f4d4109b1e8ba139355498cf5b1f444ef8ea181e8ecdc4f68558a97/analysis/; classtype:trojan-activity; sid:21476; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string 1234567890"; flow:to_server,established; content:"User-Agent|3A| 1234567890"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/aead70177d2932a1ddd4556fa6b7eb3f7a136f58d5511e2c391b74c0f6d32a98/analysis/; classtype:trojan-activity; sid:21469; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string core-project"; flow:to_server, established; content:"User-Agent|3A 20|core-project"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:misc-activity; sid:21475; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Adware user agent Gamevance tl_v"; flow:to_server,established; content:"User-Agent|3A| tl_v"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/009b5aba4b00bb618b46987630c23c69b20af29194c3e50a5c6dd2ae04338dd1/analysis/; classtype:trojan-activity; sid:21591; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Adware user agent mus - TDSS related"; flow:to_server,established; content:"User-Agent|3A| mus"; fast_pattern:only; http_header; pcre:"/User-Agent\x3A\s+?mus[\x0d\x0a]/iH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/dd3979104aea7a45136e51a24fddcda4658d1825e5a4ee65f2e0601d5ddfc971/analysis/; classtype:trojan-activity; sid:21639; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Adware user agent gbot"; flow:to_server,established; content:"User-Agent|3A| gbot"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/289eb3becfaf41707ff5e5315c6ba0cca3a5b84f5241d596c748eb036a22a889/analysis/; classtype:trojan-activity; sid:21636; rev:3;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent BOT/0.1"; flow:to_server,established; content:"User-Agent|3A| BOT/0.1 |28|BOT for JCE|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.joomlacontenteditor.net/news/item/jce-2011-released; classtype:trojan-activity; sid:21925; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent VB WININET"; flow:to_server,established; content:"User-Agent|3A| vb wininet"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8583A562EBFE78EC315794E8BC8703D2A75C3516D9699D8C5010D0D2B7DD98DE/analysis/; reference:url,www.virustotal.com/file/a4e393db1819366f16c2aaa0d9085aa04ee1caa4397b7a78cf4cc7de19610dbb/analysis/; classtype:trojan-activity; sid:21965; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent RAbcLib"; flow:to_server,established; content:"User-Agent|3A| RAbcLib"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/47D648603A2923D4539AAF6D4F63B3B704CCE090F68BB394A0F8B1BC2649844A/analysis/; classtype:trojan-activity; sid:22939; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Flame malware"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B|Windows NT 5.1|3B| .NET CLR 1.1.2150|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23019; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - PoisonIvy RAT"; flow:to_server,established; content:"User-Agent|3A| PoisonIvy"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.poisonivy-rat.com; reference:url,www.virustotal.com/file/c71d8085544e6f81e0301d9dd5cdf88369339a6001bab8e4fda22de9ec0fee31/analysis/; classtype:trojan-activity; sid:23627; rev:3;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - you"; flow:to_server,established; content:"User-Agent|3A| you|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:23903; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Post"; flow:to_server,established; content:"User-Agent|3A| Post|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; classtype:trojan-activity; sid:24111; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Alerter COM"; flow:to_server,established; content:"User-Agent|3A| Alerter COM+"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24442; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Testing"; flow:to_server,established; content:"User-Agent|3A| Testing|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24441; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Mozilla/00"; flow:to_server,established; content:"User-Agent|3A| Mozilla/00"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/F6B7DF4009F41D103F5B856F1C6F1E6C05667D21F4F7528EF554C7E2ADB4F39C/analysis/; classtype:trojan-activity; sid:24568; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Opera/9.61"; flow:to_server,established; content:"User-Agent: Opera/9.61|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/78F000C1901081A2B7F43E55843BA89B3ED2BE2CAB2C3C36F04C768800863940/analysis/; classtype:trojan-activity; sid:24575; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - vaccinepc"; flow:to_server,established; content:"User-Agent: vaccinepc"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24634; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Lizard/1.0"; flow:to_server,established; content:"User-Agent: Lizard/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/F885D6F24FFE5CD899841E9B9914F7CC1CF22C13C5EBF5332F1A1B4F378793FE/analysis/; classtype:trojan-activity; sid:24631; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - test_hInternet"; flow:to_server,established; content:"User-Agent: test_hInternet|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24633; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent - Google page"; flow:to_server,established; content:"|0D 0A|User-Agent|3A 20|Google page|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ed78ab626837cd254b1e2600196b7406995d0d8e4397e0a16b830e78ccc216f5/analysis/; classtype:trojan-activity; sid:24792; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; content:"User-Agent: User-Agent: Opera/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/E50BE9062933ACA19777767538BC9E03C94DB23AFBC4F6F19383FCBA3479EAB4/analysis/; classtype:trojan-activity; sid:25009; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - me0hoi"; flow:to_server,established; content:"User-Agent: me0hoi|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/7919E2A3586AA83072689A5DB77DA8DDB4F675421D775C8F1A0110D12423EF3E/analysis/; classtype:trojan-activity; sid:25245; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - 04/XP"; flow:to_server,established; content:"User-Agent: 04/XP|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/641B3981E33E33030D3D75EDE4D4F2C896D9F355FC9075B2F852E874FBB97F7A/analysis/; classtype:trojan-activity; sid:25243; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string IEToolbar"; flow:to_server,established; content:"User-Agent|3A| IEToolbar|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/a9d7cc0393a147102bb3c6e96988ea796db4492cc7eac1ad75bcc29df66fd3f4/analysis/; classtype:trojan-activity; sid:25262; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MSIE"; flow:to_server,established; content:"User-Agent|3A| MSIE|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/372c3793eee53fde5b2d5bf6bf7beb0417e51dbb1b02aefbabfa5f39bd8d51e2/analysis/; classtype:trojan-activity; sid:25261; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Mozila"; flow:to_server,established; content:"User-Agent|3A| Mozila|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/7ccb29829be1f1850bd34f16b8b3468590dcd1abfab8d4b5910cb0be36286fa5/analysis/; classtype:trojan-activity; sid:25260; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - wh"; flow:to_server,established; content:"User-Agent: wh/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/48538D65E26BB2E219484A39CDEC98939B4B653988F2214C6D9FDF93CA5CA683/analysis/; classtype:trojan-activity; sid:25372; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/4.0"; fast_pattern:only; http_header; pcre:"/^\x2f[0-9a-z]{30}$/Umi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:25476; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - al"; flow:to_server,established; content:"User-Agent|3A 20|al|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0D4B5D9A9206FBD7C63F507F79F86E23A38468C99334C3F30BC789528D9BD60D/analysis/; classtype:trojan-activity; sid:25533; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ctwopop"; flow:to_server,established; content:"ctwopop|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CC12CAF863DE3B07D76D043346280FC933BE6F9F3298CA04DFB737C531E1E338/analysis/; classtype:trojan-activity; sid:25544; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - test"; flow:to_server,established; content:"User-Agent|3A| test|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2b5064dcf918207d31537e41c1b43b6cac2b62f9d343005c1180dde8e21790d9/analysis/; classtype:trojan-activity; sid:20019; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Pass"; flow:to_server,established; content:"User-Agent: Pass:"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4C49053900B8AD85721469996B580B09B890CD383D3D33B3E12FA32305E0E287/analysis/; classtype:trojan-activity; sid:25980; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent cibabam"; flow:to_server,established; content:"User-Agent|3A| cibabam|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/d8a18e7ce01d17149ada4a46ff3889da/analysis/; classtype:trojan-activity; sid:26248; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent Opera 10"; flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Win"; flow:to_server,established; content:"User-Agent|3A| Win|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26702; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Alina"; flow:to_server, established; content:"User-Agent|3A| Alina"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/102fa9c066102db7ebf821e28dbc6363d544843bfe45c331eb826663ab6c74b9/analysis/; classtype:trojan-activity; sid:26686; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string J13A"; flow:to_server,established; content:"User-Agent: J13A|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/75667889BC6ACBB77E57EF02DDE1D908EEF9625292618E31E7D4F5194733C6F0/analysis/; classtype:trojan-activity; sid:26685; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - msctls_progress32"; flow:to_server,established; content:"User-Agent|3A| msctls_progress32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0b88db0c00910a9f018189a01bb9ab2b166cf16f73930d96e519281d6c5b3001/analysis/; classtype:trojan-activity; sid:26751; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string iexplorer"; flow:to_server,established; content:"User-Agent|3A| iexplorer"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fDiofopi.E; classtype:trojan-activity; sid:27015; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - yahoonews"; flow:to_server,established; content:"User-Agent|3A| yahoonews|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/49608d016caf8dc31e95e01bd76cc4ac3f37df47b1299931f872e67a4ec80fa3/analysis/; classtype:trojan-activity; sid:27263; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string IExplore"; flow:to_server,established; content:"User-Agent|3A| IExplore|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/87bd1619b55d43fe3eb5ffc489b9019f9b8240a8b04678db0111e77ba6168edd/analysis/; classtype:trojan-activity; sid:27710; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string umbra"; flow:to_server,established; content:"User-Agent|3A| umbra|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; reference:url,www.virustotal.com/en/file/4e9cbc435fa414b993a1fe36d562431fc7c1a306a752631a2ab2664f59e7f0c0/analysis/; classtype:trojan-activity; sid:27709; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - dt12012"; flow:to_server,established; content:"User-Agent: dtl2012|0D 0A|"; fast_pattern:only; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9ECB27EBA81DF9B7DAE3F5B7F096A63BE22B2D20F7ED6EB776EF95A82F2A9D2B/analysis; classtype:trojan-activity; sid:27868; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string SUiCiDE/1.5"; flow:to_server,established; content:"User-Agent|3A 20|SUiCiDE/1.5|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28362; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string getURLdown"; flow:to_server,established; content:"User-Agent: getURLDown|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58d72bee4a896b700a6a059ec19a6a49a1ce668010e3ef6d14d09d016d52c769/analysis/; classtype:trojan-activity; sid:28558; rev:2;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.Zollard"; flow:to_server,established; content:"User-Agent|3A| Zollard|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:28852; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Nitedrem"; flow:to_server,established; content:"User-Agent|3A| f|75|cking|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/196b26642b95e6a4ae58215d3f4ebcaf3c9a879b7b1bd3c6679f8e25014adef2/analysis; classtype:trojan-activity; sid:28860; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot"; flow:to_server,established; content:"User-Agent|3A| z00sAgent"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5873dad08351309e13af9e5/analysis/1383673331/; classtype:trojan-activity; sid:28859; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent Update1.0 - Win.Trojan.Downbini"; flow:to_server,established; content:"User-Agent|3A| Update1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3055358f927b32235bce5c9810d343e53c5abf3d027e410e7435d1eac72b8f65/analysis/; classtype:trojan-activity; sid:29180; rev:2;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string fortis"; flow:to_server,established; content:"User-Agent: fortis|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29174; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent suspicious user-agent WarpHTTP - Win.Trojan.Yohakest"; flow:to_server,established; content:"User-Agent|3A| WarpHTTP|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,www.virustotal.com/en/file/d39543d91c17eae377b068cfb52f911d42efb6ea3566eebb202192ca92dbc3ee/analysis/; classtype:trojan-activity; sid:29150; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious User-Agent - Win.Trojan.Secciv"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)???"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8495ea2ed9f8ce75da1f0390a290d0a4dc5ddf9d882794d75f293825d03c51fe/analysis/; classtype:trojan-activity; sid:29143; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent string HTTP 1.1 - Win.Trojan.Tapslix"; flow:to_server,established; content:"User-Agent|3A| HTTP 1.1|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/369b9dcfa2430d63e91b03f5d1330e67e78ae3fd197f64f6518a1b4191c08cad/analysis/; classtype:trojan-activity; sid:29139; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Mowfote"; flow:to_server,established; content:"User-Agent|3A| DMFR|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c9bb1e05c2ab4dfb0682177ab440054ebebb195eebb4994b1e4c22157ce3f42b/analysis/; classtype:trojan-activity; sid:29358; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent string CustomSpy - Win.Trojan.Etek"; flow:to_server,established; content:"User-Agent|3A 20 28|CustomSpy|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef611fe55f6ef6cd26a65f639de270351044b60157a5715a605ef8c1a43a89c9/analysis/; classtype:trojan-activity; sid:29341; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Dluca"; flow:to_server,established; content:"User-Agent|3A| CWAD|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02ec8487567b2a358ee5ba32d510062d586b5acd1cf01e69c8d0ac9c0594331f/analysis/; classtype:trojan-activity; sid:29371; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Tirips"; flow:to_server,established; content:"User-Agent: TestWinInet|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/14051e376e7ae77b1a771e9643148d2cc79d2067670de14ac0e2003c75fd7baf/analysis/; classtype:trojan-activity; sid:29431; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Truado"; flow:to_server,established; content:"User-Agent|3A| WebClient For Extensions"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/87ab59e92178018832b1a66df5b42c8cd962e805a844e59c6a14c028a093efd1/analysis/; classtype:trojan-activity; sid:29652; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Mimunita"; flow:to_server,established; content:"User-Agent|3A| Mozilla/981.0 (compatible|3B| Arachmo)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4fd17a3f8a700e79a3671c5a4a98ba583fd7e4912678104284d7dd375ba21d5b/analysis/; classtype:trojan-activity; sid:29645; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29760; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq"; flow:to_server,established; content:"User-Agent: TixDll|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Updates downloader|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity; sid:29887; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agnet string Win.Trojan.ZeusVM"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1|28 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C003CA9C9694489F202E5A77FBD4973ADF7286C414EB98D525A8BFBC582D8962/analysis/; classtype:trojan-activity; sid:30210; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - logogo.exe"; flow:to_server,established; content:"User-Agent|3A 20|logogo.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4ff9e2e2d117218782835aaa527b2fc040d8e963d3691058161f47c77c391696/analysis/; classtype:trojan-activity; sid:30250; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent getcmdw23 - Win.Trojan.Burnwoo"; flow:to_server,established; content:"User-Agent|3A| getcmdw23|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/692a794d3c8ac7a0c114d211e7cfc234b9e72cd656ab5d5054d59f8bd56614b7/analysis/; classtype:trojan-activity; sid:30315; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent getcmd - Win.Trojan.Burnwoo"; flow:to_server,established; content:"User-Agent|3A| getcmd|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/692a794d3c8ac7a0c114d211e7cfc234b9e72cd656ab5d5054d59f8bd56614b7/analysis/; classtype:trojan-activity; sid:30314; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Win.Backdoor.Jolob"; flow:to_server,established; content:"User-Agent|3A| aa|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13f6b38eed1c156a6791bdb09af9cad0af94a39da7ad0cdca40073df3d4adc70/analysis/; classtype:trojan-activity; sid:30309; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Win.Backdoor.Jolob"; flow:to_server,established; content:"User-Agent|3A| Mozilla /5.0 (Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13f6b38eed1c156a6791bdb09af9cad0af94a39da7ad0cdca40073df3d4adc70/analysis/; classtype:trojan-activity; sid:30308; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent InetAll - Win.Trojan.Pennonec"; flow:to_server,established; content:"User-Agent|3A| InetAll|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c394497876c500ecd7413a7262a64258362af2998e33ad9266332036ff9655e5/analysis/; classtype:trojan-activity; sid:30301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent Browser - Win.Trojan.Bruterdep"; flow:to_server,established; content:"User-Agent|3A| Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/47f5b249f9a7524f908dfaf16102d3acc9dd4154ff8e8a8b8d96ac49ebef26a0/analysis/; classtype:trojan-activity; sid:30290; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent EyeS_Client_1.0 - Win.Trojan.Seey"; flow:to_server,established; content:"User-Agent|3A| EyeS_Client_1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e666ae1d996c2c6b1a36934379a3ad4f702a8f927c90966a80d7a07f43764cfc/analysis/; classtype:trojan-activity; sid:30344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent ebot - Win.Trojan.Modulog"; flow:to_server,established; content:"User-Agent|3A| ebot|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7da9c2ad92eed40a46a3dcf7638f7b9bc49cd0685c3f5454c298c0aefc2d26e/analysis/; classtype:trojan-activity; sid:30331; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent Neutrino/2.1 - Win.Trojan.Necurs"; flow:to_server,established; content:"User-Agent|3A| Neutrino/2.1|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B041F8AD32154A28D8D4BD7CC4BF83EE1D45107C4DAEA63F1D2C2651ADB5014E/analysis/; classtype:trojan-activity; sid:30518; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent hello crazyk"; flow:to_server,established; content:"User-Agent: hello crazyk|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218ba895c1f4a/analysis/; classtype:trojan-activity; sid:31090; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent svchost"; flow:to_server,established; content:"User-Agent: svchost|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/a6f68442a4f04b5341921da61a6ad8d440ae853871b989c3636570103d9c54f3/analysis/; classtype:trojan-activity; sid:31122; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent DefaultBotPassword - Win.Trojan.Tirabot"; flow:to_server,established; content:"User-Agent|3A| DefaultBotPassword|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cfc4a7944f2351fd94623f07a2422e251aecf821e1c6db1770d02f22a01f1535/analysis/; classtype:trojan-activity; sid:31150; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious User-Agent rome0321 - Win.Trojan.Soraya"; flow:to_server,established; content:"User-Agent|3A| rome0321|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; reference:url,www.securityweek.com/soraya-malware-mixes-capabilities-zeus-and-dexter-target-payment-card-data; reference:url,www.virustotal.com/en/file/a776441157ea06d5a133edde3cf7f63bda2df69fdfbf23db2852c9882eae8112/analysis/; classtype:trojan-activity; sid:31225; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent blacksun - Win.Trojan.Blacksun"; flow:to_server,established; content:"User-Agent|3A| blacksun"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/669cf6c87a16ea8e243d408a96210491dd18b3fe3d974c545f25426836392fbb/analysis/; classtype:trojan-activity; sid:31417; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31557; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Decibal - Win.Trojan.Decibal"; flow:to_server,established; content:"User-Agent: Decebal"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f579187ef0879ea8a999bd39720d9e08b53fc783cf3d168ba21304cb3144e806/analysis/; classtype:trojan-activity; sid:32030; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent string - httptestman - Win.Backdoor.Rabasheeta"; flow:to_server, established; content:"User-Agent|3A| httptestman|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/47b8db81218cdb7469486b7727b689db061369dc3622e12dff404be98aadc924/analysis/; classtype:trojan-activity; sid:32060; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent Xsser mRAT user-agent"; flow:to_server,established; content:"xsser.0day (unknown version)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:32052; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - update - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: update|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/; classtype:trojan-activity; sid:32125; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string update - Win.Trojan.Waski"; flow:to_server,established; urilen:<40; content:"User-Agent: update|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control: no-cache"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f1f1e9a7a11df8544b63815272180e112f97bb6844697dbcb1f8c8a6b1589b97/analysis/; classtype:trojan-activity; sid:32296; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string http - Win.Trojan.Waski"; flow:to_server,established; urilen:<40; content:"User-Agent: http|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control: no-cache"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f1f1e9a7a11df8544b63815272180e112f97bb6844697dbcb1f8c8a6b1589b97/analysis/; classtype:trojan-activity; sid:32295; rev:2;)
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent BloodguyBrowser-_-"; flow:to_server,established; content:"User-Agent|3A| BloodguyBrowser-_-|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dcefbea4d7003ab8eafee05f2bd90f09df330539b5b8dcfae96d855063b996b1/analysis/; classtype:trojan-activity; sid:32294; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string fast uax"; flow:to_server,established; content:"User-Agent|3A| fast uax|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/99c69981aecf111b66006e675f144764f2a8bcd270c8a0bbc976d8f1a6e086f7/analysis/; reference:url,www.virustotal.com/en/file/caf1832e76b5bc663b4dcc77b8ae3ac226481ba16af39bab866d391369529d2b/analysis/; classtype:trojan-activity; sid:32333; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - myupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: myupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6cbda8878f68dac2b44abac3afb8727d16f8f3ab584fce113bfd1c098c7f2436/analysis/; classtype:trojan-activity; sid:32384; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - connect - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: connect|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:32383; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent VUPHTTP - Win.Trojan.Puvespia"; flow:to_server,established; content:"User-Agent: VUPHTTP|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d2d2d980c9629e31149ce55ca4cc87f2fbbfbae30b14908e9b6595e2eb4ae915/analysis/; classtype:trojan-activity; sid:32455; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent globalupdate - Osx.Trojan.Wirelurker"; flow:to_server,established; content:"User-Agent|3A 20|globalupdate"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/93856f704db2efe2e2262e6c710a23d03d6b0748c02e4d5d8d2d4e25f56a8b32/analysis/; classtype:trojan-activity; sid:32402; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string RUpdate"; flow:to_server,established; content:"User-Agent: RUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32645; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - multi-browser"; flow:to_server,established; content:"Mozilla/5.0 |28|Windows NT 5.1|3B| rv|3A|11.0|29| Gecko/20100101 Firefox/24.0"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32980; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - extra IE version"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|29| |3B| Maxthon/3.0|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32979; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - extra IE version"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|29| |3B| 360SE|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: realupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33047; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33207; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - onlyupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: onlyupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33260; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - testupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: testupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33259; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Updates downloader - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Updates downloader|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33258; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - onlymacros - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: onlymacros|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33257; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - macrotest - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: macrotest|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - iMacros - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: iMacros|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33255; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - hi - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: hi|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33254; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - bbbbbbbbbb - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: bbbbbbbbbb|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33253; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - WATClient - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: WATClient|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33252; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - USER_CHECK - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: USER_CHECK|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33251; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Tintin - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Tintin|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33250; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - SLSSoapClient - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: SLSSoapClient|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33249; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Peers12 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Peers12|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33248; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - PPKHandler - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: PPKHandler|0D 0A|"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33247; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - OperaMini - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: OperaMini|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33246; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Opera10 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Opera10|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33245; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Opera - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Opera|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33244; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mozilla - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Mozilla|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33243; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Explorer - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Explorer|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33242; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - FixUpdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: FixUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33240; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Installer/1.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Installer/1.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33239; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Wurst - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Wurst|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33238; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Player - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Player|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33237; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - 2808inst - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: 2808inst|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33236; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - 2608cw-2 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: 2608cw-2|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33235; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - 2508Inst - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: 2508Inst|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33234; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - 2608cw-1 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: 2608cw-1|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33233; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - AppUpdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: AppUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33232; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Firefox/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Firefox/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33231; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Firefox - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/012b09a13adc35a89c659cfdc57b627ded7cf731e091e930fd22fa91e15a1237/analysis/; classtype:trojan-activity; sid:33230; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - DNS Changer"; flow:to_server,established; content:"User-Agent|3A 20|DNS Check|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33522; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ALIZER"; flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - Downing - Win.Trojan.Otwycal"; flow:to_server,established; content:"User-Agent|3A 20|Downing|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ae7d6afd7340911ebbbfa48a50753d38ba4988a580d2d763a531bfb2817916ff/analysis/; classtype:trojan-activity; sid:33633; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro"; flow:to_server,established; content:"User-Agent: Google Omaha|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity; sid:33649; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent DownloadMR - Solimba"; flow:to_server,established; content:"User-Agent|3A 20|DownloadMR"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d91dd22f47d2a5afab57fb26bccf9192a7a2db432485e7fe752649fca412d627/analysis/; classtype:trojan-activity; sid:33831; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,6969] (msg:"MALWARE-CNC User-Agent known malicious user-agent string dolit"; flow:to_server,established; content:"User-Agent: dolit|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4060C7DBDA6AB0B743843D3372FCBAF87F920085F7E7E8CA314A19211AC352CC/analysis/; classtype:trojan-activity; sid:33884; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - Win.Trojan.Barys"; flow:to_server,established; content:"User-Agent|3A| E9BC3BD76216AFA560BFB5ACAF5731A3"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/43a96d673db0ed1d94bd5b8413be212059b02ce507ccdfa019b73e49436a5d93/analysis/; classtype:trojan-activity; sid:33914; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - KAIIOOOO871 - Win.Trojan.Dridex"; flow:to_server,established; content:"User-Agent|3A 20|KAIIOOOO871|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4ad0b509b232dc0fc1704552de614849f1ddc63dbd5c9f3cf9fc2490c6abcba8/analysis/; classtype:trojan-activity; sid:33907; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - spam_bot"; flow:to_server,established; content:"User-Agent: spam_bot|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/ED62E89CC17E400A60D98E075FAFFB9D778C1A27A9CB83723E3AFA6A2C385339/analysis/; classtype:trojan-activity; sid:25659; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Punkey"; flow:to_server,established; content:"User-Agent|3A| Mozilla Firefox/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e0c4696093c71a8bbcd2aef357afca6c7b7fbfe787406f6797636a67ae9b975d/analysis/; classtype:trojan-activity; sid:34607; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - EMERY - Win.Trojan.W97M"; flow:to_server,established; content:"User-Agent|3A 20|EMERY|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d0f0a446162c6dafc58e4034f4879275d3766f20336b6998cb5a5779d995a243/analysis/; classtype:trojan-activity; sid:34843; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string EI Plugin updater"; flow:to_server,established; content:"User-Agent|3A| EI Plugin updater"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-18338; reference:url,www.virustotal.com/en/file/9b0f613228ad8b71a1ab44efbf6c0ed5df06cca4988d6fd094a34f867838cc54/analysis/; classtype:trojan-activity; sid:35316; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.Zollard"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| Zollard|3B| Linux)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:35710; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mozila"; flow:to_server,established; content:"User-Agent|3A| Mozila/5.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d8870e07e63199fabfc704b450fdaeb168d0b7a0fe414905728fc1fb816ed9df/analysis/; classtype:trojan-activity; sid:36833; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.FighterPOS"; flow:to_server,established; content:"User-Agent|3A| FromtheGods"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/56714b26b25bae1faa23355866a400d3cf920bb782ea222929e06f2dd79e0646/analysis/; classtype:trojan-activity; sid:38234; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - JexBoss"; flow:to_server,established; content:"User-Agent|3A| jexboss"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/905ba75b5b06cbb2ea75da302c94f6b5605327c59ebdb680c6feabdbc9e242d3/analysis/; classtype:trojan-activity; sid:38304; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - uguogo - Win.Trojan.Nemucod"; flow:to_server,established; content:"User-Agent: uguogo|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/ba5f5f144f1d1dc555f7abef1b55a44d9bc815f51398a849145aadc7ee285411/analysis/; classtype:trojan-activity; sid:38962; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - fsrhrsrg - Win.Trojan.Nemucod"; flow:to_server,established; content:"User-Agent: fsrhrsrg|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/ba5f5f144f1d1dc555f7abef1b55a44d9bc815f51398a849145aadc7ee285411/analysis/; classtype:trojan-activity; sid:38961; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Batlopma"; flow:to_server,established; content:"User-Agent: InetURL:/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/63dc515aa44a48a31191b8f905b40ce8883bc864d4784a0bf84edf102ddffaf3/analysis/; classtype:trojan-activity; sid:39361; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string mozilla/2.0"; flow:to_server,established; content:"User-Agent|3A| mozilla/2.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39710; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Adware user-agent string - Win.Adware.Prepscram"; flow:to_server,established; content:"User-Agent|3A| InstallCapital|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E3955FBADBDC4C3CD4F5958BC727B7941A1D32E1BC8B84DEE4208A0D6F77B74F/analysis/; classtype:trojan-activity; sid:39886; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string DetoxCrypto2"; flow:to_server,established; content:"User-Agent|3A| DetoxCrypto2"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/bbc9a2f87c48b15a527b665bcadc92787f36c2364161e29e7d90e45591b0a634/analysis/; classtype:trojan-activity; sid:40012; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Fareit"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.08 (Charon|3B| Inferno)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/; classtype:trojan-activity; sid:40066; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known PUA user-agent string - TopTools100"; flow:to_server,established; content:"User-Agent|3A| BDI18N"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,virustotal.com/en/file/4e4d1a7888ff177460294d874ed6fc2b43841b4a02025600f637cf4f908d46cb/analysis/; classtype:misc-activity; sid:40081; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - F.5.E.C"; flow:to_server,established; content:"User-Agent|3A| F.5.E.C DRILL"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:40217; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.VBInject"; flow:to_server,established; content:"User-Agent|3A| |AA DF F6 F4|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B37DB43DCE25BB3A681EE4F79392795C0D54F6260A3C34FC2008E210CCFE6DAE/analysis/; classtype:trojan-activity; sid:40216; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Darkshell"; flow:to_server,established; content:"User-Agent|3A| MyAgrent"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7bfdaf8eb794f5180dea83200b3975f230d9b30c13e0f0845ee87be426e3299e/analysis/; classtype:trojan-activity; sid:40212; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Perseus"; flow:to_server,established; content:"User-Agent|3A| bUQ8QmvUpI57udWFxQHPkuyKDfc3T8u5"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40251; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Instally"; flow:to_server,established; content:"User-Agent|3A| inet_provider"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/672bac1a0dbd10b6904bf2801a3bc329588fddee4b8ed81fffa8aacb5d15efbd/analysis/; classtype:trojan-activity; sid:40528; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.TrickBot"; flow:to_server,established; content:"User-Agent|3A| TrickLoader"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/047c5dcbc1db4a6ab154d83020070210f5b9482971268ac6683aefcd57e130a5/analysis/; classtype:trojan-activity; sid:40644; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.TrickBot"; flow:to_server,established; content:"User-Agent|3A| BotLoader"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/047c5dcbc1db4a6ab154d83020070210f5b9482971268ac6683aefcd57e130a5/analysis/; classtype:trojan-activity; sid:40643; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Sality"; flow:to_server,established; content:"User-Agent|3A| KUKU"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ae15faa3bab4038dd774fca0519916903237477cac1d98ad86b089f5d8d8fbb3/analysis/; classtype:trojan-activity; sid:40733; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Crypton"; flow:to_server,established; content:"User-Agent|3A| Crytpon3"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4A7D008B3C8DE78684CC66326B0DB856A5B918DD6F51AF821D0101F47218455A/analysis/; classtype:trojan-activity; sid:40800; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Venik"; flow:to_server,established; content:"User-Agent|3A| RiSing|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4caea86e8e2a5ae89c114a3d6cd58ea9e2f1d6000f4ddf1e9de6bec490bed3b1/analysis/; classtype:trojan-activity; sid:40782; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Virut"; flow:to_server,established; content:"User-Agent|3A| Smadav"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/37ac8b91b2ef8a5c0b3b5838e5c5741cf8aba5afcdaaffc405669c32d8fe1d40/analysis/; classtype:trojan-activity; sid:40870; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Virut"; flow:to_server,established; content:"User-Agent|3A| SmaRTP|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/37ac8b91b2ef8a5c0b3b5838e5c5741cf8aba5afcdaaffc405669c32d8fe1d40/analysis/; classtype:trojan-activity; sid:40869; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Visbot"; flow:to_server,established; content:"User-Agent|3A 20|Visbot"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,gist.github.com/gwillem/2887310b5e4c2a778026d301c7d47337/revisions; classtype:trojan-activity; sid:41318; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Simda"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 2.0|3B| Windows NT 5.0|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8202CDBA149240C15A659FE9AFD3322A2316FEBED039686633D343CEF7CF7016/analysis/; classtype:trojan-activity; sid:41403; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger"; flow:to_server,established; content:"User-Agent|3A| installer/"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41457; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Elite Keylogger"; flow:to_server,established; content:"User-Agent|3A| Elite%20Keylogger/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41456; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user-agent string - X-Mas"; flow:to_server,established; content:"User-Agent|3A 20|Useragents"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41441; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Malware.DistTrack"; flow:to_server,established; content:"User-Agent|3A| Mozilla/13.0 (MSIE 7.0|3B| Windows NT 6.0)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dbdea08e7b970d395236b8e0aada6fc07fb23e6181485d86f65da1e73ab2ba2e/analysis/; classtype:trojan-activity; sid:41539; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.MagicHound"; flow:to_server,established; content:"User-Agent|3A| My Session888"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B6C159CAD5A867895FD41C103455CEBD361FC32D04573321280B1451BF151C/analysis/; classtype:trojan-activity; sid:41656; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A| uc|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42020; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A| Ray-Downer|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42019; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Frethog"; flow:to_server,established; content:"User-Agent|3A| vb   wininet"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/E09A8C28C426B894FCFF5C1102570FA6A5CFDBCE5D9202F6322262FE8143AB6B/analysis/; classtype:trojan-activity; sid:42454; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Backdoor.Chopper"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0+(compatible|3B|+Baiduspider/2.0|3B|++http://www.baidu.com/search/spider.html) Mozilla/5.0+(compatible|3B|+Googlebot/2.1|3B|++http://www.google.com/bot.html)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42838; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - SessionI"; flow:to_server,established; content:"User-Agent|3A 20|SessionI|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a52d3e65fe5bbf57bab79b1c5092b66d9650247249b72f667a927f266d09efe6/analysis/; classtype:trojan-activity; sid:42832; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - micro"; flow:to_server,established; content:"User-Agent|3A 20|micro|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a52d3e65fe5bbf57bab79b1c5092b66d9650247249b72f667a927f266d09efe6/analysis/; classtype:trojan-activity; sid:42831; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Sublink"; flow:to_server,established; content:"H-WORM |28| AUTOIT |29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/05C7071F4B851C032A25755A1FB94BE4D4CAA77C7BB315B3CACAE01EC16D8AF8/analysis/; classtype:trojan-activity; sid:42830; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent Win.Trojan.Agent malicious user agent"; flow:to_server,established; content:"User-Agent|3A| HttpBrowser/1.0"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42886; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Hotbar"; flow:to_server,established; content:"User-Agent|3A| RPCriCheck"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a470b81dfa1dc57bdccc293ec4a61b08c16d561bbc8686700ff9d7c1964212ca/analysis/; classtype:trojan-activity; sid:43220; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Graftor"; flow:to_server,established; content:"User-Agent|3A| Downloader 25.8"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/41474cd23ff0a861625ec1304f882891826829ed26ed1662aae2e7ebbe3605f2/analysis/; classtype:trojan-activity; sid:44214; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - ace4956e-736e-11e6-9584-d7165ca591df - Win.Trojan.Tarayt"; flow:to_server,established; content:"User-Agent|3A| ace4956e-736e-11e6-9584-d7165ca591df"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file//analysis/; classtype:trojan-activity; sid:44213; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - Version/100 - Win.Trojan.Tarayt"; flow:to_server; content:"AppleWebKit/600.1.4 (KHTML, like Gecko) Version/100"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E276142DD9AF0F064FF75AF17CA05A64E7944EC87B36F54B683B4E430744C242/analysis/; classtype:trojan-activity; sid:44317; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Sality"; flow:to_server,established; content:"User-Agent|3A| c|3A 5C|"; fast_pattern:only; http_header; content:!"Cache-Control: no-cache"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:44362; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Poison"; flow:to_server,established; content:"User-Agent|3A| quard"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/72AE7AE357F036834A9265E547B27C8598392E493FBDFDD89A34712063D41BCD/analysis/; classtype:trojan-activity; sid:44440; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Datper"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 11.0|3B| Windows NT 6.1|3B| SV1)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2/analysis/; classtype:trojan-activity; sid:44773; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Datper"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.0|3B| SV1)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2/analysis/; classtype:trojan-activity; sid:44772; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Adware user-agent string - Win.Adware.VirusHeat"; flow:to_server,established; content:"User-Agent|3A| VirusHeat"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,en.wikipedia.org/wiki/VirusHeat; reference:url,www.virustotal.com/en/file/8ce81a1f4eddfd8ace4dc3fa0ec03986ca65de8261195d0201595554a755bece/analysis/; classtype:trojan-activity; sid:13638; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Volgmer"; flow:to_server,established; content:"User-Agent|3A| Mozillar/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d36476e027bed89555a0b426becc321f3a5abbe4a2c3e543995962cebf448c0e/analysis/; classtype:trojan-activity; sid:44886; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Tool.SMSBomber"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (houzi|3B| MSIE 6.0|3B| Windows NT 5.0)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8812a87330413c5975d6ae91af3063e54b77afe63f955e28b13cb0631bb72154/analysis/; classtype:trojan-activity; sid:45051; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - SocStealer"; flow:to_server,established; content:"User-Agent|3A| restclient for cpp"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/34E4890AAF63D57D686CBB8C9722F5BDEF9A41FB127B56D895C5BD87B7CE92BA/analysis/; classtype:trojan-activity; sid:45230; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - SocStealer"; flow:to_server,established; content:"User-Agent|3A| winnet http client"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/34E4890AAF63D57D686CBB8C9722F5BDEF9A41FB127B56D895C5BD87B7CE92BA/analysis/; classtype:trojan-activity; sid:45229; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Phoenix exploit kit post-compromise behavior"; flow:to_server, established; content:"Accept-Encoding: identity, *|3B|q=0"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.0|3B| Windows 98)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; reference:url,contagiodump.blogspot.com/2010/06/overview-of-exploit-packs-update.html; classtype:successful-user; sid:21860; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tavex outbound connection"; flow:to_server,established; content:"User-Agent|3A| Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; http_header; content:"/stactivex/"; http_uri; content:".htm"; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/615c28236dc561e3866a2845bbe3457716bca0d98eb9c13a315d6ef7fcc9beb3/analysis/; classtype:trojan-activity; sid:36639; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25100 (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"/0/"; content:"-SP"; within:3; distance:2; content:"/0/"; within:3; distance:1; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/; classtype:trojan-activity; sid:31736; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"/Gestores/extra/2cr.tar"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/511aae72f63fd0256b7210d8a20afc75df7d1225ac054ec732a7fee43d11657b/analysis/; classtype:trojan-activity; sid:31735; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy outbound connection"; flow:to_server,established; content:"User-Agent: User-Agent"; fast_pattern:only; http_header; content:"hello="; depth:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7ccff801ad03c9fc6dec3b4c2624bfe805f4d9360e5d2332fc6ebd1c4086a66c/analysis/; classtype:trojan-activity; sid:35462; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VaccinePC variant outbound connection"; flow:to_server,established; content:"/APP/pf_ck.php?v1="; fast_pattern:only; http_uri; content:"User-Agent: 1|0D 0A|"; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C0F22EF1818673AF9B2D353F40AB846D3003F327666FBB446A1964BBA20EE2B2/analysis/; classtype:trojan-activity; sid:24632; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Seruda system information disclosure"; flow:to_server,established; content:"@IIZZ"; fast_pattern:only; content:"|02 03 7A 9F 49|"; depth:5; offset:11; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7a5ecb04e69209416646e7bd1d7ae717a707915c9219301710fc7cc5731d4cb3/analysis/; classtype:trojan-activity; sid:29990; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; content:"/img/get.php?d_info="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:26967; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0; http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1234 (msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; content:"02|7C|"; depth:3; content:"|7C|N|7C|t+1.2|7C|1.2|7C|"; distance:0; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26955; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Talsab variant outbound connection"; flow:to_server,established; content:"destino="; http_client_body; content:"&user="; within:30; http_client_body; content:"&icerik="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis; classtype:trojan-activity; sid:26954; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,88] (msg:"MALWARE-CNC Win.Trojan.Orcim variant outbound connection"; flow:to_server,established; content:"/u_get.asp?smac="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d370477b9c041a2a8b0877c69a0742db5fa789671a0a6d869c7610c1d8ec98c/analysis/; classtype:trojan-activity; sid:26952; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uptime RAT beacon"; flow:to_server,established; content:".asp?id="; http_uri; content:"|44 00 61 00 79|"; distance:0; http_uri; content:"|48 00 6F 00 75 00 72|"; fast_pattern:only; http_uri; content:"|4D 00 69 00 6E|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26946; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bisonal RAT beacon"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:".asp?id="; nocase; http_uri; content:"host:"; distance:0; nocase; http_uri; content:"user:"; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26945; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Post_Show RAT beacon"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/post_show.asp?"; fast_pattern:only; http_uri; content:"123456789"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26944; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Post_Show RAT beacon"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/jp/admin.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26943; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PipCreat RAT beacon"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"/adminweb/news.asp?id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26942; rev:3;)
alert tcp $EXTERNAL_NET [$HTTP_PORTS,8264,8500] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PipCreat RAT dropper download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"are you there!@#$%^&*()_+"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cyberengineeringservices.com/login-exe-analysis-trojan-pipcreat/; classtype:trojan-activity; sid:26941; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TripleNine RAT beacon"; flow:to_server,established; content:"GET"; depth:3; nocase; http_method; content:"User-Agent: Mozilla/5.0"; nocase; http_header; content:"Cache-Control: no-cache"; nocase; http_header; content:"/999"; fast_pattern:only; http_uri; pcre:"/^\/999$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26940; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 123 (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server; content:"GN"; depth:2; metadata:policy security-ips drop, service ntp; classtype:trojan-activity; sid:26932; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server,established; content:"/links.php?mode=1"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Cookie"; http_header; content:!"Content-Length"; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26931; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server,established; content:"/form.php?mode="; http_uri; content:"&UID="; distance:0; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26930; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26924; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26923; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zotob.E gc.exe download"; flow:to_server,established; content:"/gc.exe"; fast_pattern:only; http_uri; content:!" "; http_header; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; sid:26880; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant outbound connection"; flow:to_server,established; content:"?action=add&a="; http_uri; content:"&c="; within:12; distance:1; http_uri; content:"&l=Microsoft"; http_uri; content:"Windows"; within:12; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26841; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant outbound connection"; flow:to_server,established; content:"?action=add&a="; http_uri; content:"&c="; within:12; distance:1; http_uri; content:"&l=&p="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/D1F5B9540046E59B18069343D0A2E7A4A1AA0894C1913F737FBE3AEDC9B595A1/analysis/; classtype:trojan-activity; sid:26840; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26837; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uperti variant outbound connection"; flow:to_server,established; content:"User-Agent: IE8.0|0D 0A|"; fast_pattern:only; http_header; content:"Data$$"; depth:6; http_client_body; content:"Data"; within:128; distance:32; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/D607D963C1644CAAD81276728D505789503AEAE70C064EB9B5ECDCFA57E16FB9/analysis/; classtype:trojan-activity; sid:26828; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:".php?"; nocase; http_uri; content:"div="; nocase; http_uri; content:"code="; nocase; http_uri; content:"site="; nocase; http_uri; content:"searches="; nocase; http_uri; content:"clicks="; nocase; http_uri; content:"adver="; fast_pattern; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/05f8386b564d44e179c9170d1440f5154aa0417cce178a5d9dcf9d476af8eca1/analysis; classtype:trojan-activity; sid:26822; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Datash variant outbound connection"; flow:to_server,established; content:"/microsoftupdate/getupdate/default.aspx?ID="; fast_pattern:only; http_uri; content:"para1="; http_uri; content:"para2="; within:36; http_uri; content:"para3="; within:36; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6F86AE3ADC0CDA2FFB4F13E6625F5C689B7B8344C550BB7C3FF8A6DADA7402E0/analysis/; classtype:trojan-activity; sid:26820; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Datash variant outbound connection"; flow:to_server,established; content:"/microsoft/errorpost/default/connect.aspx?"; fast_pattern:only; http_uri; content:"|C8 04 00 00 00 00 00 00|"; depth:8; offset:28; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6F86AE3ADC0CDA2FFB4F13E6625F5C689B7B8344C550BB7C3FF8A6DADA7402E0/analysis/; classtype:trojan-activity; sid:26819; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Zawat variant outbound connection"; flow:to_server,established; content:"/intro/flashview.html"; fast_pattern:only; http_uri; content:"Mozilla/4.0 (compatible|3B 20|MSIE 6.0|3B 20|Win32)|3B|"; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C769F2E988A7DA2F14179B8583D9032B00A804D780E11FA9C04994DEF6803EF8/analysis/; classtype:trojan-activity; sid:26818; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.KitM variant outbound connection"; flow:to_server,established; content:"/MacApp/"; fast_pattern:only; http_client_body; pcre:"/\/MacApp\/\d{2}(-\d{2}){3}(:\d{2}){2}\.png\r\n[^\x89]+?\x89PNG/Psmi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26816; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.KitM variant outbound connection user-agent"; flow:to_server,established; content:"User-Agent: macs 1."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26815; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dapato CMS spambot check-in"; flow:to_server,established; content:"/seek.cgi?lin="; nocase; http_uri; content:"&db="; within:50; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:26813; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backdoor.Tomvode variant outbound connection"; flow:to_server,established; content:"/Default.asp?uid="; fast_pattern; nocase; http_uri; content:"&do="; distance:0; nocase; http_uri; content:"&view="; distance:0; nocase; http_uri; content:"&_lgmode="; distance:0; nocase; http_uri; content:"&from="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/D5FC378AB31019F99F613BDBABD5AA63D97A3CD0031E90265427DB912D744F88/analysis/; classtype:trojan-activity; sid:26809; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vbula variant initial CNC contact"; flow:to_server,established; content:"/novinha/imgjpgcnf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26793; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vbula variant outbound connection"; flow:to_server,established; content:"/miragem/comunic.php"; fast_pattern:only; http_uri; content:"ext="; nocase; http_client_body; content:"cliente="; distance:0; nocase; http_client_body; content:"mensagem="; distance:0; nocase; http_client_body; content:"tipo="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1E934A08D506428B133C3123F501656C92D23A1D741F324FD73D3FF3EFB2CB23/analysis/; classtype:trojan-activity; sid:26792; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 7777 (msg:"MALWARE-CNC Win.Trojan.Qrmon variant outbound connection"; flow:to_server,established; content:"top111"; depth:6; offset:3; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/34BA837EFA1A39169A10D8158020116215867A745171F826C5A51CB4B5908846/analysis/; classtype:trojan-activity; sid:26785; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nivdort variant outbound connection"; flow:to_server,established; content:"/forum/search.php?method="; nocase; http_uri; content:"&mode="; distance:0; nocase; http_uri; content:"Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0fecc5c3d6a3ffe4230fb9575f835cee02945a0fcbf93df784570aaeaa9d7135/analysis/; classtype:trojan-activity; sid:26784; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established; content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase; http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"/m/IbQ"; depth:6; fast_pattern; http_uri; urilen:>150; content:!"PacketShaper"; http_header; content:!"Referer:"; http_header; pcre:"/\/m\/ibq(?!c)[a-p]/imsU"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26777; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established; content:"POST"; http_method; content:"cmd=gravar&dados="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP Header Structure"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:".asp?Uid="; fast_pattern:only; http_uri; content:"&Bank="; nocase; http_uri; content:"&Money="; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/9AC6EB3F6FDFC64622D29B42887EF593B9828CEF7EC401A31A3CB88133EE7F3E/analysis/; classtype:trojan-activity; sid:26771; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"/Install/Post.asp?Uid="; fast_pattern:only; http_uri; content:"&Cd="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/9AC6EB3F6FDFC64622D29B42887EF593B9828CEF7EC401A31A3CB88133EE7F3E/analysis/; classtype:trojan-activity; sid:26770; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/contagem.php"; fast_pattern:only; http_uri; content:"User-Agent: VB Project|0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/87B3624D01952F7932E8B00029A612BB4B361C99E77D76050437CC025F26A507/analysis/; classtype:trojan-activity; sid:26763; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Elefin variant outbound connection"; flow:to_server,established; urilen:36; content:"|AB 23 9E 39 14 35 09 0D 41 0A D2 09 10 E8 16 2F|"; depth:128; offset:64; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8FDB8F5A3522A3BDB7BADD64AE2F619B54C210E1D4004EDF4330FAB6714F7708/analysis/; classtype:trojan-activity; sid:26758; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Datcaen variant outbound connection"; flow:to_server,established; content:"|67 70 B7 A3 5B 81 4E 1C|"; depth:8; http_client_body; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/D6F0E383FB8C87BC47718D1C59CC0091E041C0367F19BA21B735B75414871E65/analysis/; classtype:trojan-activity; sid:26757; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Datcaen variant outbound connection"; flow:to_server,established; content:"/oi2c/wlc3/"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/D6F0E383FB8C87BC47718D1C59CC0091E041C0367F19BA21B735B75414871E65/analysis/; classtype:trojan-activity; sid:26756; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|"; depth:5; pcre:"/^full\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|"; depth:8; pcre:"/^allhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|"; depth:9; pcre:"/^slowhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|"; depth:9; pcre:"/^fastddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|"; depth:9; pcre:"/^download\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|"; depth:4; pcre:"/^ftp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|"; depth:6; pcre:"/^range\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|"; depth:9; pcre:"/^antiddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|"; depth:8; pcre:"/^resolve\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|"; depth:5; isdataat:!200; pcre:"/^exec\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|"; depth:4; pcre:"/^dns\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|"; depth:8; pcre:"/^connect\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|"; depth:8; pcre:"/^dataget\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|"; depth:8; pcre:"/^tcpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|"; depth:5; pcre:"/^icmp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|"; depth:5; pcre:"/^data\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|"; depth:8; pcre:"/^udpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|"; depth:4; pcre:"/^udp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|"; depth:4; pcre:"/^syn\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|"; depth:9; pcre:"/^datapost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|"; depth:10; pcre:"/^loginpost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|"; depth:7; pcre:"/^simple\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|"; depth:6; pcre:"/^sleep\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|"; depth:4; pcre:"/^die\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|"; depth:5; pcre:"/^stop\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|"; depth:5; pcre:"/^http\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?xclve_"; fast_pattern:only; http_uri; pcre:"/^\x2f\x3fxclve\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:26721; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_task.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_alive.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; content:"gate.php|3F|id="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; fast_pattern:only; http_header; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/U"; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; fast_pattern:only; http_header; content:"/count.php?page="; depth:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upero variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Win|0D 0A|"; fast_pattern:only; http_header; content:"?cdata="; nocase; http_uri; content:"&detail="; nocase; http_uri; content:"&fold="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6142f9c4ac27a3f5676c625d685e4ad500eaed2d936564b84fe5c0251e581701/analysis/; classtype:trojan-activity; sid:26703; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - POST Body"; flow:to_server,established; content:"index.php"; http_uri; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"--"; depth:2; http_client_body; pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary="; depth:70; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_header; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Namihno variant outbound request"; flow:to_server,established; content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0; http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26695; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 250 (msg:"MALWARE-CNC Win.Trojan.Spyremoav variant outbound connection"; flow:to_server,established; content:"<|7C|INFOS|7C|>"; depth:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/2437060322d73f2728da4d0b9fb9c678fffdf099bc49293cb55099a2e3287362/analysis/; classtype:trojan-activity; sid:26692; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UFRStealer variant outbound connection"; flow:to_server,established; content:"boundary=ABCDABCDABCD"; fast_pattern:only; http_header; content:"/log/logs.php"; nocase; http_uri; content:"|0D 0A 0D 0A|UFR!"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5c097c6dddbd72976b7b1d93845a17d4ed4b5abbd2cd99e4454aa37f20683ad9/analysis/; classtype:trojan-activity; sid:26691; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Miniduke server contact"; flow:to_server, established; urilen:>45; content:"User-Agent: Mozilla/4.0"; http_header; content:"/news/feed.php"; fast_pattern:only; http_uri; pcre:"/i=[a-zA-Z0-9$~]{40}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/29ad305cba186c07cedc1f633c09b9b0171289301e1d4319a1d76d0513a6ac50/analysis/; classtype:trojan-activity; sid:26690; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Neshax variant outbound connection"; flow:to_server,established; content:"HORSE_ASSERT!"; depth:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/de/file/5E57ED1ED3D180B1956787C5839F07DA509D6C68D8EA40BC3ED71C63F5003607/analysis/; classtype:trojan-activity; sid:26684; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shyape variant outbound connection"; flow:to_server,established; content:"SLCC2)|0D 0A|"; fast_pattern:only; http_header; content:"|00 00 19|"; depth:3; offset:2; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/1EA1F84478DBC8177696C63996E5D7860D25BBFA4A3A506856201EC77A639BB5/analysis/; classtype:trojan-activity; sid:26683; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rem&"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:trojan-activity; sid:26681; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=rrm&"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:trojan-activity; sid:26680; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=upd&"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:trojan-activity; sid:26679; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=idl&"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:trojan-activity; sid:26678; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant inbound run command from cnc"; flow:to_client,established; file_data; content:"c=run&"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A6656AD2DF3FAB17DFA97C1FFB2D8D073AEFEACC77C0A753BE5FC346B0F3D98/analysis/; classtype:trojan-activity; sid:26677; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/login.php"; depth:10; http_uri; content:"Referer|3A| http://www.google.com"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; fast_pattern:only; http_header; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; content:"hostid="; http_uri; content:"|26|hostname="; http_uri; content:"|26|hostip="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Medfos Trojan variant outbound connection"; flow:to_server,established; content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE "; http_header; content:!"|0D 0A|Accept-Language:"; http_header; content:!"|0D 0A|Referer:"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC OSX.Trojan.Dockster variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF C2 1F 96 9B 5F 03 D3 3D 43 E0 4F 8F 13 6E 76 82|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/97C8A6FFD5DAAD5822B929760C61F2A9EAAFB1CBDC1D0F895DF0E3219416BAE8/analysis/; classtype:trojan-activity; sid:26609; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rocra variant outbound connection"; flow:to_server,established; content:"Content-Length: 98|0D 0A|"; http_header; content:"|04 00 00 00|"; depth:4; http_client_body; content:"A4C8293E54BE31CC89BE|BD FF 6D 16 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/1B62C8EEB834690AA11A63B45675E3C1596EA7E81ACB285019BBC479CE3C3FA9/analysis/; classtype:trojan-activity; sid:26608; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Korlia variant outbound connection"; flow:to_server,established; content:"|42 28 58 28|"; depth:4; offset:16; content:"|6C 28 49 28 51 28|"; depth:64; offset:80; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/de/file/6C876FA80FE56937CE3997FADBA2A377D814A8DE0D0FB208EAFB909487FE47D0/analysis/; classtype:trojan-activity; sid:26607; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sosork variant outbound connection"; flow:to_server,established; content:"GET /3010"; fast_pattern:only; content:!"Accept"; pcre:"/^GET \x2F3010[0-9A-F]{166}00000001/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/24E26943C43BBC57362EC1415114730C94DB9E356E3F4E6081453E924121BB11/analysis/; classtype:trojan-activity; sid:26606; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|"; depth:4; content:"|7C|Microsoft|20|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26605; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bydra variant outbound connection"; flow:to_server,established; dsize:32<>256; content:"|FF 01 DD CC|"; depth:4; content:"|7C|Windows|20|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/de/file/302bcc38f03b5c4f31432dae242c8c61ec1d243eeeec315053bc6c0fe6f74488/analysis/; classtype:trojan-activity; sid:26604; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/ccbill/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/images/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-content"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26576; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1="; depth:4; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26561; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data"; flow:to_server,established; content:"tipo=getcomando&"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26533; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header; pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Magic variant inbound connection"; flow:to_client,established; file_data; content:"some_magic_code1"; depth:36; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:26467; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linog.A variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/cdata.php"; depth:10; nocase; http_uri; content:"Content-Type|3A| multipart/form-data|3B|boundary|3D|"; nocase; http_header; content:"name|3D 22|uploadedfile|22 3B|filename|3D 22|c|3A 5C|windows|5C|temp|5C|"; nocase; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9d03e61a18fcdde0b207ac6cc284fdd77d73f47fab2e3076b538b9b1bcfbbbd6/analysis/; classtype:trojan-activity; sid:26464; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linog.A variant outbound connection"; flow:to_server,established; content:"GET //download/cdata/"; depth:21; nocase; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9d03e61a18fcdde0b207ac6cc284fdd77d73f47fab2e3076b538b9b1bcfbbbd6/analysis/; classtype:trojan-activity; sid:26463; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"/add_img.php?div="; fast_pattern:only; http_uri; content:"&code="; http_uri; content:"&param="; within:10; distance:1; http_uri; content:"&os="; within:32; distance:8; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5395379127EEDD6023CDB7C02009C1391448F1F018CA277E33B3482BDDE12692/analysis/; classtype:trojan-activity; sid:26452; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"[[&testid"; fast_pattern:only; http_uri; content:"X-HOST:"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/E43B3F8D771B56F7E30A4681C3F2EE1A38A75A5395960EDC72C23CBFCD1D28E3/analysis/; classtype:trojan-activity; sid:26450; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"!M"; depth:2; content:"M_M"; within:256; distance:6; pcre:"/M[\x62-\x66](?:M[\x5f\x60]){3}M/s"; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/86C4ABCA08B2CF398A51DF81BA11F23743E989A4A7A8BC78CF58220A095424D1/analysis/; classtype:trojan-activity; sid:26449; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakesig variant outbound connection"; flow:to_server,established; content:"5v/E5"; depth:128; offset:32; http_client_body; content:!"User-Agent"; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8C4991DDD46B7ADEE31BACB30D9EFE572C426D79BF5F3E8EDFFED65E55CD0E7A/analysis/; classtype:trojan-activity; sid:26448; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler variant outbound connection"; flow:to_server,established; content:"/gamenew/index.php"; fast_pattern:only; http_uri; content:"AAA"; depth:4; offset:2; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/D4EC9833D9384D9FCF82D435196F2A88942AB00892EE1E73D19886E94AB34744/analysis/; classtype:trojan-activity; sid:26447; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/updata.asp?f=sta&ip="; fast_pattern:only; http_uri; content:"&mac="; http_uri; content:"&jc="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5025B848802FF0BEC0E03C4BFD4E39E8093826ED32905448336AB0902CE0AECF/analysis/; classtype:trojan-activity; sid:26446; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/up.asp?pid="; fast_pattern:only; http_uri; content:"&time="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5025B848802FF0BEC0E03C4BFD4E39E8093826ED32905448336AB0902CE0AECF/analysis/; classtype:trojan-activity; sid:26445; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/kl.asp?pid="; fast_pattern:only; http_uri; content:"&time="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5025B848802FF0BEC0E03C4BFD4E39E8093826ED32905448336AB0902CE0AECF/analysis/; classtype:trojan-activity; sid:26444; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Duqu variant outbound connection"; flow:to_server,established; content:"GET / "; depth:6; content:"PHPSESSID="; http_cookie; pcre:"/PHPSESSID\=\w{26}$/C"; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/3d83b077d32c422d6c7016b5083b9fc2/detection; classtype:trojan-activity; sid:26435; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header; content:"name=|22|serialfisico|22 0D 0A|"; http_client_body; content:"name=|22|versaoatual|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9A4AF66872A467A442D4A56E372496F46078F8F650D74DF08C2BACAFD2A518D0/analysis/; classtype:trojan-activity; sid:26428; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; content:"op="; depth:3; http_client_body; content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only; http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26335; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qhost variant outbound connection"; flow:to_server,established; content:"/stat/tuk/"; fast_pattern:only; pcre:"/Host\x3A\x20[0-9\x3A\x2E]{9,21}\x0D\x0A/"; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/36D2F34F83DBC1175246645CE519CA662CA135C3DBA888008A914E5A76186753/analysis/; classtype:trojan-activity; sid:26331; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5; distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26327; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU"; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Garveep variant outbound connection"; flow:to_server,established; content:"/plug/update.php"; fast_pattern:only; http_uri; content:"OBgWMk4=|3B|"; depth:9; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/558DAC92554B505F7A3CB578AACF169173C48D9F43CA23905517BC8C18E507CD/analysis/; classtype:trojan-activity; sid:26285; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Surok variant outbound connection"; flow:to_server,established; content:"|71 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 05 00 00 00 01 00 00 00 FF|"; depth:29; fast_pattern; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/AF878C140F9F2557563223A54D6671BE0EAD610C14006C03FE3A306A9411DC55/analysis/; classtype:trojan-activity; sid:26284; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|02|ru|00 00 01 00 01|"; within:8; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26271; rev:5;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|03|org|00 00 01 00 01|"; within:9; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26270; rev:5;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|03|net|00 00 01 00 01|"; within:9; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26269; rev:5;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|04|info|00 00 01 00 01|"; within:10; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26268; rev:5;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|03|com|00 00 01 00 01|"; within:9; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26267; rev:5;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,>,20,0,relative; byte_jump:1,0,relative; content:"|03|biz|00 00 01 00 01|"; within:9; content:!"in"; depth:35; offset:13; nocase; content:!"is"; depth:35; offset:13; nocase; content:!"ch"; depth:35; offset:13; nocase; content:!"th"; depth:35; offset:13; nocase; content:!"tr"; depth:35; offset:13; nocase; content:!"st"; depth:35; offset:13; nocase; content:!"nd"; depth:35; offset:13; nocase; content:!"nt"; depth:35; offset:13; nocase; content:!"re"; depth:35; offset:13; nocase; content:!"an"; depth:35; offset:13; nocase; content:!"gh"; depth:35; offset:13; nocase; content:!"ld"; depth:35; offset:13; nocase; content:!"ee"; depth:35; offset:13; nocase; content:!"as"; depth:35; offset:13; nocase; content:!"ll"; depth:35; offset:13; nocase; content:!"ph"; depth:35; offset:13; nocase; pcre:"/^.{13}[a-z0-9]+[\x02-\x04]/i"; pcre:"/^.{13,29}[bcdfghjklmnpqrstvwxz]{5}/i"; metadata:policy security-ips drop, service dns; classtype:trojan-activity; sid:26266; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Vectmp variant outbound connection"; flow:to_server,established; content:"/install.php?pt=com"; fast_pattern:only; http_uri; content:"&mc="; http_uri; content:"&ve="; within:4; distance:17; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/74B76A78B77589C2D0D1B2D7DB4F12485A28587FFFACA7CE6958613BE70C76C9/analysis/; classtype:trojan-activity; sid:26260; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Sonide variant outbound connection"; flow:to_server,established; content:"/sophia/info72.php"; fast_pattern:only; http_uri; content:"data=M"; depth:6; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0A9A2A52155FD8746E6DAB3DE6106F204D62643507037538900D60E110344057/analysis/; classtype:trojan-activity; sid:26249; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"/b1/index.php"; fast_pattern:only; http_uri; pcre:"/^User\x2DAgent\x3A\x20[a-z0-9\_\-\.\x20]{1,256}\x2E(exe|bat|cmd|com)/iH"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0888D05493DD5A3B8784D86695070695DED3E303441C8CFC5185D09A839FC943/analysis/; classtype:trojan-activity; sid:26245; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Troll variant outbound connection"; flow:to_server,established; content:"NDIz"; depth:4; offset:7; http_uri; content:"Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02885989EC9B6851AE79D8540931A3BAFEA5777646DF0E09CE8957768B833C9A/analysis/; classtype:trojan-activity; sid:26244; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vkeikooc variant outbound connection"; flow:to_server,established; content:"&fcook="; fast_pattern:only; http_uri; content:"&cook="; http_uri; content:"mode="; depth:5; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/020CBB9C6FC93E745A1A769FA855FC5E3220B55DF0E1EF8CEA46E5288EBEEA29/analysis/; classtype:trojan-activity; sid:26240; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1080 (msg:"MALWARE-CNC Win.Trojan.Stehlox variant outbound connection"; flow:to_server,established; content:"?HELO-STX-"; depth:80; offset:5; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/903B0DFB184A79F21FA80DAC999E013BB03535123A0B1F005F77E53DC51F00EF/analysis/; classtype:trojan-activity; sid:26239; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Snopexy variant outbound connection"; flow:to_server,established; content:"/index.aspx?i="; fast_pattern:only; http_uri; pcre:"/index\.aspx\?i=[0-9A-Z\x2F\x2B]{20,160}\x3d{0,2}/iU"; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02D6DB814316DB5AAFF501BE5EDC0E64E71EC4E76226FAE9A961F8ACEA7E15F7/analysis/; classtype:trojan-activity; sid:26238; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:26212; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex variant outbound connection"; flow:to_server,established; content:"User-Agent: PCICompliant/3.33"; fast_pattern:only; http_header; content:"/process.php?xy="; http_uri; content:"fGF6fDIu"; within:8; distance:48; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/BB12FC4943857D8B8DF1EA67EECC60A8791257AC3BE12AE44634EE559DA91BC0/analysis/; classtype:trojan-activity; sid:26204; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; content:"cstype="; depth:7; http_client_body; content:"&authname="; within:48; distance:1; http_client_body; content:"&authpass="; within:48; distance:1; http_client_body; content:"&hostname="; within:48; distance:1; http_client_body; content:"&ostype="; within:256; distance:1; http_client_body; content:"&macaddr="; within:64; distance:16; http_client_body; content:"&owner="; within:48; distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC VBS.Trojan.Agent variant outbound connection"; flow:to_server,established; dsize:150<>300; content:"|0D 0A|User-Agent: ZAIN_"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/CC53DAB7C2AC568C86D3F9145402BE9FE1AAF9B08C3F25C7008313EA82B47A1D/analysis/; classtype:trojan-activity; sid:26202; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lobparck variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla|20 0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control: no-store, no-cache|20 0D 0A|"; http_header; content:"HTTP/1.1|20 0D 0A|"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/FBB8AB4925B336897F2B982667C0D77A66712DCA8A857F6256BC1003343C2522/analysis/; classtype:trojan-activity; sid:26201; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hiloti variant outbound connection"; flow:to_server,established; content:".php?c="; nocase; http_uri; content:"&d="; within:3; distance:8; http_uri; content:"bauhath.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/09cae488fc5b4ceb42fc037359d3413528526b094c95006448734fd89a4d023b/analysis/; classtype:trojan-activity; sid:26178; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC AutoIT.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"ac0njxq80"; depth:9; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/4F2DF5DBCC8E237742A4722428728497AF063C056C6D7F4D0DF697E33C1F6714/analysis/; classtype:trojan-activity; sid:26121; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC AutoIT.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"lv"; depth:2; content:"H4CK3D"; within:32; nocase; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/4F2DF5DBCC8E237742A4722428728497AF063C056C6D7F4D0DF697E33C1F6714/analysis/; classtype:trojan-activity; sid:26120; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/chkupdt.asp"; fast_pattern:only; http_uri; content:"ver="; depth:4; http_client_body; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26119; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|00 00 00|Windows"; within:11; distance:143; content:"MB"; within:24; distance:48; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/A8C1E66889E9760B80C9849385BC7F833996EB7823FCC36812413833CAB85C6B/analysis/; classtype:trojan-activity; sid:26118; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tarctox variant outbound connection"; flow:to_server,established; content:"/reportdatas.php"; fast_pattern:only; http_uri; content:!"|0D 0A|User-Agent"; http_header; content:"id="; depth:3; http_client_body; content:"&A="; within:64; distance:1; http_client_body; content:"&B="; within:3; distance:1; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/97C8A6FFD5DAAD5822B929760C61F2A9EAAFB1CBDC1D0F895DF0E3219416BAE8/analysis/; classtype:trojan-activity; sid:26117; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC NSIS.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/get.php?e=590&tc="; fast_pattern; http_uri; content:"&uid="; within:32; distance:16; http_uri; content:"User-Agent: NSISDL/"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A029FCEF5BBF51284F42E33172E259A4DCF10D8E5A6B427C822A4F456722C6D3/analysis/; classtype:trojan-activity; sid:26116; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC NSIS.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/cnt.php?e=590&u"; fast_pattern; http_uri; content:"&r="; within:32; distance:1; http_uri; content:"&sz="; within:10; distance:1; http_uri; content:"User-Agent: NSISDL/"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A029FCEF5BBF51284F42E33172E259A4DCF10D8E5A6B427C822A4F456722C6D3/analysis/; classtype:trojan-activity; sid:26115; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26106; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Go http package|0D 0A|"; fast_pattern:only; http_header; content:"/about/step1.php"; http_uri; content:"m_usr="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:26088; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-CNC Win.Trojan.Exicon variant outbound connection"; flow:to_client,established; content:"|0D 0A|Warcraft III AccountName:|20|"; fast_pattern:only; content:"|0D 0A|World Of Warcraft Path:|20|"; depth:128; offset:60; metadata:impact_flag red, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/7ACB5A95B3EBCD33C470517CC4E668476118DD27C83CDEF8F5210F2E413DD269/analysis/; classtype:trojan-activity; sid:26086; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Suspected Crimepack"; flow:to_server,established; content:"/dll"; fast_pattern; http_uri; content:"//dll"; http_raw_uri; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f3aac810a100bc09f02c5e13df23264406569e3faeb10bd697de5282e7049233/analysis/; classtype:trojan-activity; sid:26081; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locati variant outbound connection"; flow:to_server,established; content:"/home/index.asp?typeid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/130411FDD36046693E5CB49BBEE9CCD628BCB4CFB1E581D03E7787D298136F73/analysis/; classtype:trojan-activity; sid:26072; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredo variant outbound connection"; flow:to_server,established; content:"/forum/images.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.spyware-techie.com/malbredo-q-removal-guide; classtype:trojan-activity; sid:26019; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CNC Dirtjumper variant outbound connection"; flow:to_server,established; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 17|0D 0A|"; fast_pattern:only; http_header; content:"k="; depth:2; http_client_body; content:!"|26|"; within:15; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26011; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CNC Dirtjumper variant outbound connection"; flow:to_server,established; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 34|0D 0A|"; fast_pattern:only; http_header; content:"k="; depth:2; http_client_body; content:!"|26|"; within:32; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/; classtype:trojan-activity; sid:26010; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Reswor variant outbound connection"; flow:to_server,established; content:"User-Agent: HttpBrowser/"; fast_pattern:only; http_header; content:"computer="; depth:9; nocase; http_client_body; content:"&lanip="; within:128; http_client_body; content:"&uid="; within:20; distance:7; http_client_body; content:"&os="; within:4; distance:32; http_client_body; content:"&relay="; within:16; distance:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/BF89679DF500E3FC698C65E21DA324F2B4CE793D8AECE6C72E6770111253911D/analysis/; classtype:trojan-activity; sid:25996; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Banload variant outbound connection"; flow:to_server,established; content:"/image/pic2.jpg"; fast_pattern:only; http_uri; content:!"Accept:"; http_header; pcre:"/Win32\x29[a-z0-9\x2B\x3D\x2F]{4}/iH"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/9C25D27EC0F3193275C1F9B2D25CF77AD33DD0A00366D15D4EE0C0F15669F524/analysis/; classtype:trojan-activity; sid:25995; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"data=HOW!! V3."; fast_pattern:only; http_uri; content:" Attacked="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/169eeca99a6d89632a4fd4934e423a59c74089cd782f382f846ce5d35ea7e9ae/analysis/1351777729/; classtype:trojan-activity; sid:25994; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [6000:7000] (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"|02|NEW INFECTION!|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/6583B4A1D9E8A349A068168E87971A1DAF0A81232EAC208BE1321511AFCB00CD/analysis/; classtype:trojan-activity; sid:25993; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [6000:7000] (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"NICK Im_From"; depth:12; pcre:"/\x7B[a-z]{1,12}\x7C[a-z0-9]{1,12}\x7D/Ri"; metadata:impact_flag red, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/6583B4A1D9E8A349A068168E87971A1DAF0A81232EAC208BE1321511AFCB00CD/analysis/; classtype:trojan-activity; sid:25992; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant connect to cnc-server"; flow:to_server,established; content:"/call_new/callurl.php"; http_uri; content:"User-Agent: IE9"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1A6DA8E84ABC485C6CA1ABC57D9B65E4EC420364C34F9EC18DCB38E7C226DEC2/analysis/; classtype:trojan-activity; sid:25991; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant connect to cnc-server"; flow:to_server,established; content:"/new_file/"; fast_pattern; nocase; http_uri; content:"User-Agent: IE9"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1A6DA8E84ABC485C6CA1ABC57D9B65E4EC420364C34F9EC18DCB38E7C226DEC2/analysis/; classtype:trojan-activity; sid:25990; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upof variant outbound connection"; flow:to_server,established; content:"/dastor/"; fast_pattern:only; http_uri; pcre:"/^\x2F[a-z0-9\-\_]{8,128}\x2Fdastor\x2F(file.htm|das.htm)/Ui"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/687BDA547594D776D66D866852A709E783879922A543AF448F84DA08A48CF23C/analysis/; classtype:trojan-activity; sid:25987; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lukprofin variant outbound connection"; flow:to_server,established; content:"/0806.asp"; http_uri; content:"570069006E0064006F0077007300"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4C49053900B8AD85721469996B580B09B890CD383D3D33B3E12FA32305E0E287/analysis/; classtype:trojan-activity; sid:25979; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lukprofin variant outbound connection"; flow:to_server,established; content:"/0806.asp"; http_uri; content:"55006E006B006E006F0077006E00"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4C49053900B8AD85721469996B580B09B890CD383D3D33B3E12FA32305E0E287/analysis/; classtype:trojan-activity; sid:25978; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/.t/8x42.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1E35617B1047CEA1A3AF9CEACA317751B0AD67FB7A4E388E8CF37A0146E2AE53/analysis/; classtype:trojan-activity; sid:25974; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boolflot variant outbound connection"; flow:to_server,established; content:"/bot/reg.php?guid="; depth:18; http_uri; content:"&os="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/DEDC949773B39A6CFAE20249CA90F07B222C8431CA8E652A4C1344BE49E0C655/analysis/; classtype:trojan-activity; sid:25973; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b9cf069222f529e50a4d5f/; reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5eb8113b4a4d99e0a0eb893/; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; dsize:9; content:"BAGLANTI?"; depth:9; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/38902F0A82AE8BF6167245C9C8D9E6994BC544F42A86C848D3D67657DC652362/analysis/; classtype:trojan-activity; sid:25867; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"MINFO|7C|"; depth:6; pcre:"/^[a-zA-Z0-9]{1,24}\x7C(([0-9]{1,3})\x2E){3}([0-9]{1,3})\x7C/R"; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/38902F0A82AE8BF6167245C9C8D9E6994BC544F42A86C848D3D67657DC652362/analysis/; classtype:trojan-activity; sid:25866; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; dsize:3; content:"ams"; depth:3; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/38902F0A82AE8BF6167245C9C8D9E6994BC544F42A86C848D3D67657DC652362/analysis/; classtype:trojan-activity; sid:25865; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Downloader.QBundle variant outbound connection"; flow:to_server,established; content:"CONNECT|20|loader|7C|"; depth:15; content:"|7C|Microsoft Windows"; within:96; distance:32; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/AB397558E35850BBC1DF5A2894F5D87C019DE545B65639485EB3001807DE1726/analysis/; classtype:trojan-activity; sid:25863; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|info|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; urilen:18; content:"/listas/out/si.php"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|"; depth:10; offset:24; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound connection"; flow:to_server,established; urilen:95<>102; content:"|29 20|Chrome|2F|"; http_header; content:!"|0A|Accept-Encoding|3A 20|"; http_header; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/cmd.php?cmd="; http_uri; content:"arq="; distance:0; http_uri; content:"cmd2="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Agent YEH variant outbound connection"; flow:to_server,established; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Shimwoc variant outbound connection"; flow:to_server,established; content:"50mb13"; depth:6; content:"i:"; within:2; distance:18; content:"p:"; within:2; distance:17; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/3B91E6AF01D3D99E101D205414902F02E1335223470D8C24DE6F032B33E969B7/analysis/; classtype:trojan-activity; sid:25674; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.QQDragon variant outbound connection"; flow:to_server,established; content:"User-Agent: services|0D 0A|"; http_header; content:"admin_un=ligui"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6E75C94D1CCA04024DD2267A4A0C2FEC43081DE64B0CE3BFD252F746BF9F5CEE/analysis/; classtype:trojan-activity; sid:25673; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsnu variant outbound connection"; flow:to_server,established; content:"/UTP402HEAD.php"; fast_pattern:only; http_uri; content:"ltype="; http_uri; content:"&ccr="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/63B27DCA6C4286A8B4F0BACA645B646974168DBBD54787B919CF433CC6C5A4E9/analysis/; classtype:trojan-activity; sid:25672; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"/google.php?a=x"; fast_pattern:only; http_uri; content:"&b="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0A2BE86A476EB3FF1B96467F37B3A1CFF4EC365B730FFE4EE34247DCC6FCE32D/analysis/; classtype:trojan-activity; sid:25671; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"&ComPut="; fast_pattern:only; http_uri; content:"&makedate="; http_uri; content:"&userID="; http_uri; content:"&os=Windows"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/522C4EB22A6C6A4E2F8FB405228BE1541C2BAE365C649C8270917577D5C2DC63/analysis/; classtype:trojan-activity; sid:25670; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Selasloot variant outbound connection"; flow:to_server,established; content:"/snwd.php"; fast_pattern:only; http_uri; content:"tp="; http_uri; content:"&tg="; within:12; distance:1; http_uri; content:"&ts=Microsoft"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3026B25C0B76E9341CF894F275F5222462B799C6439A1920555D09E97B92760A/analysis/; classtype:trojan-activity; sid:25669; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nflog variant outbound connection"; flow:to_server,established; content:"ClientId="; http_uri; content:"&Nick="; http_uri; content:"&dtime=T"; fast_pattern:only; http_uri; content:"|F0 00 F0 00 F0 00 A9 00 E0 00 E8 00 E8 00 E0 00 EB 00 E2 00 A9 00 E4 00 E8 00 EA|"; depth:36; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/734A409C1770CDDB063E5EDBF88AD7DCC2852F4D6999B7A6F3CFED7B96648ACE/analysis/; classtype:trojan-activity; sid:25668; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nflog variant outbound connection"; flow:to_server,established; content:"/NfLog/TTip.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/734A409C1770CDDB063E5EDBF88AD7DCC2852F4D6999B7A6F3CFED7B96648ACE/analysis/; classtype:trojan-activity; sid:25667; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"User-Agent: WebPost|0D 0A|"; fast_pattern:only; http_header; content:"pcAviso="; depth:8; http_client_body; content:"&origemLangu="; http_client_body; content:"&namesAnti="; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9D07F97730AFD856BB15FEF08810C2CD0F53A61B951C9D33A1261F9859145018/analysis/; classtype:trojan-activity; sid:25666; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Sycomder variant outbound connection"; flow:to_server,established; content:"|0A 2E 0D 0A 0D|"; fast_pattern:only; content:"{Window}"; depth:256; offset:48; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/E5C7C48A5DB59ACC5FB1FBDBBB59193DB2966B2D343CE90D4282F94C456F5C24/analysis/; classtype:trojan-activity; sid:25665; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rimod variant outbound connection"; flow:to_server,established; content:"/webserver"; fast_pattern:only; http_uri; content:"uptime="; nocase; http_uri; content:"ping="; nocase; http_uri; content:"hits="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/ee5e100e94f2484d896eb6f04f7541f706cc6b6e1871d4e9a75cb465ba8895f6/analysis/; classtype:trojan-activity; sid:25663; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chowspy variant outbound connection"; flow:to_server,established; content:"/check_counter.php"; fast_pattern:only; http_uri; content:"pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"kind="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/ba3a5098f80acc4cc3fd02a8765306f724b7d41c06285e74795ba109e63d32bd/analysis/; classtype:trojan-activity; sid:25662; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/bots.php"; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:"so="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/339640de61e725c495c2404565ffb1afb9b89c516306bf09697ca9a058eb98d5/analysis/; classtype:trojan-activity; sid:25661; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/js/disable.js?type="; fast_pattern:only; http_uri; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; content:"Accept-Language: en-us|3B 0D 0A|"; http_header; content:"wok5VLG.6"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Golisy variant outbound connection"; flow:to_server,established; content:"page=cpanel"; http_uri; content:"User-Agent: WinHTTP Example/1.0"; fast_pattern:only; http_header; content:"&sub=get"; http_uri; content:"&hwid="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/346B867851E09B06690BBAC978D105651F87CE278B2734EE8EE7ACEBF3BEFADC/analysis/; classtype:trojan-activity; sid:25632; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant connect to cnc-server"; flow:to_server,established; content:"|0D 0A|Nome da Maquina.....:"; fast_pattern:only; content:"|0D 0A|Data da Abertura....:"; content:"|0D 0A|Hora da Abertura....:"; within:25; distance:8; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/00C2C818CF6963E7BE5C6AB10BAA86389DAE020DE0DAC86205576A207FE5AEB4/analysis/; classtype:trojan-activity; sid:25628; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound connection"; flow:to_server,established; dsize:4; content:"|9A 02 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/dudley.php"; fast_pattern:only; http_uri; content:"remetente="; nocase; http_client_body; content:"destino="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e48184401b7c4f83b91079b56eec44f2f4f53311d8ac69a6380aa809458620fd/analysis/; classtype:trojan-activity; sid:25626; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8899 (msg:"MALWARE-CNC Win.Trojan.Daws variant outbound connection"; flow:to_server,established; content:"/log_it.php"; fast_pattern:only; http_uri; content:"t="; nocase; http_uri; content:"m="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9dd38d5e29d0249e04f09eb41e7163fc31395fbefc142f9031817ebb6b3014f0/analysis/; classtype:trojan-activity; sid:25625; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3121 (msg:"MALWARE-CNC Win.Trojan.Jimpime variant outbound connection"; flow:to_server,established; content:".php?action=add&id="; depth:50; content:"&ver="; within:50; content:"&cfgid="; within:50; content:"&getcmd=1&os="; within:50; fast_pattern; content:"&rd="; within:100; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/29311a4e5c198df5fa962fdef2e71bdb87a30ca76ce901ae779d30e9b8bfce1b/analysis/; classtype:trojan-activity; sid:25623; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Mofsmall variant outbound connection"; flow:to_server,established; dsize:260; content:"["; depth:1; content:"|20 2D 20|"; within:3; distance:10; pcre:"/^\[[0-3][0-9]\x2F[0-1][0-2]\x2F\d{4}\x20\x2d\x20[0-2][0-9]\x3A[0-5][0-9]\x3A[0-5][0-9]\x5D/"; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/1270987C46EEB3A931C8C32441CFE3A0222391C96EC5617C4A4CBEB7E75BD43E/analysis/; classtype:trojan-activity; sid:25610; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/insert.php"; fast_pattern:only; http_uri; content:"nome_pc="; nocase; content:"opcao="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25609; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dilavtor variant outbound connection"; flow:to_server,established; content:"&a=aff_3556"; fast_pattern:only; http_uri; content:"?i="; nocase; http_uri; content:"&u="; distance:0; nocase; http_uri; content:"&l="; distance:0; nocase; http_uri; content:"&f="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3116E49F16D0C789975DF51F1C103B3F30A60BE08FFE30D3BBC629FAC9C3AF67/analysis/; classtype:trojan-activity; sid:25600; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 11180 (msg:"MALWARE-CNC Win.Trojan.Gupboot variant outbound connection"; flow:to_server,established; dsize:525; content:"|0B 02|AS101"; depth:7; content:"|A8 FF 96 FF 91 FF|"; distance:0; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/02ae2a76805078501fcf91d6474ee3948abc07d7603194e143530e35cea3b0cb/analysis/; classtype:trojan-activity; sid:25599; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Virut variant outbound connection"; flow:to_server,established; urilen:17; content:".txt"; http_uri; content:"User-Agent|3A 20|Download"; fast_pattern:only; http_header; pcre:"/\/[a-z0-9]{12}\.txt$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/A310DE3A30A3D7E5651F8BDAE6FF6995F2B91331544DF054CD89D51C8D047F87/analysis/; classtype:trojan-activity; sid:25572; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medialabs variant outbound connection"; flow:to_server,established; content:"/?ping="; http_uri; content:"&instid="; distance:0; http_uri; content:"&step="; distance:0; http_uri; content:"&vermini="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25571; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medialabs variant outbound connection"; flow:to_server,established; content:"/?act="; http_uri; content:"&lang="; distance:0; http_uri; content:"&wmid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/949F178D9A4B771CA8A4B517298EF00BEC3C4C08016CE9445C093BF444EB05FE/analysis/; classtype:trojan-activity; sid:25570; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; content:"/gateway.php"; fast_pattern:only; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; within:384; http_client_body; content:"&query="; within:128; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; classtype:trojan-activity; sid:25553; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Worm.Dipasik variant outbound connection"; flow:to_server,established; file_data; content:"Reply-To|3A| |22|Microsoft|22| <microsoft@microsoft.com>|0D 0A|"; nocase; content:"|09|--"; within:150; pcre:"/^Subject\x3a\s(\d{1,3}\x2e){3}\d{1,3}\x09\d{2,5}\x09(\d{1,3}\x2e){3}\d{1,3}\x7c\x09(Win|Unknown)/mi"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/567212D777CB7526DD09DA01AA55C752CB97E036D9402567E231B1E32047A437/analysis/; classtype:trojan-activity; sid:25551; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Perflog variant outbound connection"; flow:to_server,established; content:"=0D=0AThis is a report for computer |22|"; content:"|22|, IP address "; within:256; distance:1; content:", user |22|"; within:23; distance:7; content:"directly with your e-mail program.|0D 0A|--"; within:128; distance:40; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/737A45C77AD2C369BB6D8FB050765ECE964DDC3987DBAAABD79153BE3D6DD4AC/analysis/; classtype:trojan-activity; sid:25548; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; dsize:4; content:"GET|00|"; depth:4; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/39FAD1D9E19AED0845F655728D5CF6D9DB1745C5339102EBF2B6E778CAB82112/analysis/; classtype:trojan-activity; sid:25547; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Proxy.Agent variant outbound connection"; flow:to_server,established; content:"hello|2F|"; depth:6; content:"|2F|"; within:3; distance:2; content:"|2F|"; within:2; distance:3; content:"|2F|"; within:10; distance:30; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/42FC75C5249FC07AC6AC517E4CC45E18173449D9D54A064C2D532D00AFE7EE4A/analysis/; classtype:trojan-activity; sid:25546; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Printlove variant outbound connection"; flow:to_server,established; content:"/ldrcfg.php"; fast_pattern:only; http_uri; content:"id=x"; nocase; http_client_body; content:"cn="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/36aefe98416471a97e36f8e9e0ba36e5588a7b83eb776c0e62cfc9d55779380f/analysis/; classtype:trojan-activity; sid:25545; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.VB variant outbound connection"; flow:to_server,established; content:"User-Agent: Wininet|0D 0A|"; fast_pattern:only; http_header; content:"secret="; http_uri; content:"&usercode="; http_uri; content:"&action="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/DA04AAA2C9D57F1F044BCF24A4564742D4BB87030A097F69BB349457621BB6CA/analysis/; classtype:trojan-activity; sid:25543; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sigly variant outbound connection"; flow:to_server,established; content:"/kiss.php"; fast_pattern:only; http_uri; content:"|4D 61 CA 19 62 C9 58 BB|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/a24be7092e231bd309e2a5accffa0faccb9b0bdbeca3c176f2548e8f3704b616/analysis/; classtype:trojan-activity; sid:25541; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"?ac=get&u="; fast_pattern:only; content:"&rand=0,"; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/EF0FC0A22768B53CB7C007A59AA702B7B4A3B2D514497459080771155ABABD05/analysis/; classtype:trojan-activity; sid:25532; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/aq.asp?address=??"; fast_pattern:only; content:"/aq.asp?address=??"; depth:26; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/EF0FC0A22768B53CB7C007A59AA702B7B4A3B2D514497459080771155ABABD05/analysis/; classtype:trojan-activity; sid:25531; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; dsize:5; content:"Alive"; depth:5; nocase; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/EF0FC0A22768B53CB7C007A59AA702B7B4A3B2D514497459080771155ABABD05/analysis/; classtype:trojan-activity; sid:25530; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"|28|compatible|3B 20|ICS|29 0D 0A|"; fast_pattern:only; http_header; content:"OPC="; depth:4; http_client_body; content:"&ADM="; within:15; distance:1; http_client_body; content:"&MC="; http_client_body; content:"&AV="; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/EF0FC0A22768B53CB7C007A59AA702B7B4A3B2D514497459080771155ABABD05/analysis/; classtype:trojan-activity; sid:25529; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|"; depth:9; offset:8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/log"; depth:4; offset:16; content:"User-Agent: Mozilla/4.0|0D 0A|"; within:25; distance:73; content:"|0D 0A 0D 0A DD E3|"; within:256; distance:24; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/4D89364A1EE4C3D14102631D9807764DC538DF4E85C91912252BACA0C45EA484/analysis/; classtype:trojan-activity; sid:25477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LoDo variant outbound connection"; flow:to_server,established; content:"INFO|7C 7C|"; depth:6; content:"|7C 20|Windows|20|"; within:256; distance:5; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/F18FCE09247EA936C284E2AE740D7BBAEE74F8183220735E59A9D39E776FC244/analysis/; classtype:trojan-activity; sid:25470; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"/new/iistart.html"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b2a59c329413ac9527e78ac791f96e81113426f57027c335c1dd96ce820a115d/analysis/; classtype:trojan-activity; sid:25465; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Downloader.Jinch variant outbound connection"; flow:to_server,established; content:"&jinchengshu="; fast_pattern:only; content:"mac="; content:"&userid="; within:12; distance:17; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b2e61ef4fcc5b033e3b1f74e34813c485541e19ce893706b317310bed6cb5f6e/analysis/1357959334/; classtype:trojan-activity; sid:25448; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ruskill variant outbound connection"; flow:to_server,established; content:"/rssnews.php"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; content:"varname="; nocase; http_client_body; content:"comp="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5a0d64cc41bb8455f38b4b31c6e69af9e7fd022b0ea9ea0c32c371def24d67fb/analysis/; classtype:trojan-activity; sid:25371; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25271; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"USER USER "; depth:10; content:":REALNAME|0D 0A|"; within:256; distance:4; metadata:impact_flag red, policy security-ips drop, service ircd; reference:url,www.virustotal.com/file/04beaf75091f8c0b5edf0f3ea1c76cf0c50ce2775408069e1b38d41fc21bc3d2/analysis/; classtype:trojan-activity; sid:25268; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; content:"/file.aspx?file="; fast_pattern:only; http_uri; content:"ksp/WS"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bin/check.php?cv="; http_uri; content:"ThIs_Is_tHe_bouNdaRY_$"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/a/image.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [110,8080] (msg:"MALWARE-CNC Win.Trojan.Basutra variant outbound connection"; flow:to_server,established; content:"|7E 77 6F 6F 6F 6F|"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service pop3; reference:url,www.virustotal.com/file/1F8FB6C3EEEB6F17A6D08094B3154DF2C517BFB52698E72DBF8D197A201941A3/analysis/; classtype:trojan-activity; sid:25249; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"cli="; depth:4; http_client_body; content:"&pcnome="; within:72; distance:1; http_client_body; content:"&tipo="; within:128; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/633B0AF5196A86B195D52A6AFD19F1B2011355BA9D4737197D1B6A8A078E4FF3/analysis/; classtype:trojan-activity; sid:25244; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Duapz variant outbound connection"; flow:to_server,established; content:"|7C|Windows"; depth:24; offset:7; content:"|BA CB 2A|"; within:16; distance:2; content:"MHz|7C|"; within:9; distance:2; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/98DD628198783F1167D5991F2B253D887C24E3884DBFF528F02F6AF4C6D9A9E9/analysis/; classtype:trojan-activity; sid:25242; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NetTrash variant outbound connection"; flow:to_server,established; content:"&subject=New+Victim+at+"; http_client_body; content:"/WWPMsg.dll"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3FA48CBB46BDBB31A44461AEC4E30BC5F873C4CE63EEAC07399C0C271FD065E1/analysis/; classtype:trojan-activity; sid:25241; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Menti variant inbound connection"; flow:to_client,established; content:"xiazaiyanshi"; fast_pattern:only; file_data; content:"[update]|0D 0A|"; file_data; content:"ver="; file_data; content:"url1=http://"; file_data; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5c8e472bd3dcad89c828141246c9b9fdb40a1e0684fe0f6c70a963547d4056e4/analysis/1356518897/; classtype:trojan-activity; sid:25240; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"USER NetBot|20|"; fast_pattern:only; content:"JOIN #back2roots|20|"; metadata:impact_flag red, policy security-ips drop, service irc; reference:url,www.virustotal.com/file/97E4655965ECDAF5B6F139CAA0AAB5A914D65DA0CD799A8C73C648D44B39441A/analysis/; classtype:trojan-activity; sid:25239; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Firelog variant outbound connection"; flow:to_server,established; content:"|22|Fire.txt|22|"; fast_pattern:only; http_client_body; content:"&mfol="; http_uri; content:"&dis="; http_uri; content:"&utp="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b6dddd492e60d1873eaa77c9d367fe520d5ccc647b44e988572233a5dd00c0ce/analysis/1356360491/; classtype:trojan-activity; sid:25237; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"D4T4______:"; content:"H0R4______:"; within:11; distance:13; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/1b30a994ebd154dc87ae46c65d394cea38741865fc0fee408cfe7ebce60841fa/analysis/1357157165/; classtype:trojan-activity; sid:25231; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Darkkomet variant outbound connection"; flow:to_server,established; content:"A57DAD495BEC"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/DA4C0907B8FCABDD9E821EDE905A6F09D32B2DBE6A58D90C4FE31164993E5796/analysis/; classtype:trojan-activity; sid:25230; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Darkkomet variant inbound connection"; flow:to_client,established; content:"BF7CAB464EFB"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/DA4C0907B8FCABDD9E821EDE905A6F09D32B2DBE6A58D90C4FE31164993E5796/analysis/; classtype:trojan-activity; sid:25229; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; urilen:52; content:"/s/?k="; fast_pattern:only; http_header; pcre:"/^\x2f[a-z0-9]{51}$/Ui"; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25224; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Autoit.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|44 4D 7F|"; depth:3; content:"|7F 4E 6B 6E 61 79|"; depth:6; offset:17; metadata:impact_flag red, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/file/199CE03479E486EFA6A1E506AAD5985CD11476F85ADD613795566ABD397B97F7/analysis/; classtype:trojan-activity; sid:25109; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Proxy.Agent variant outbound connection"; flow:to_server,established; content:"STARTOK|7C|"; depth:8; pcre:"/([0-9]{1,3}\.){3}[0-9]{1,3}|7C|\d{1,5}/R"; metadata:impact_flag red, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/file/864B75919C429AD9C2A285E2028AD828EF06BB19870F696D6BE65A35E0423872/analysis/; classtype:trojan-activity; sid:25108; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"CHEGOU|7C|"; fast_pattern:only; content:"|7C|Microsoft Windows|20|"; metadata:impact_flag red, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/file/32DC52E8B8FEEF6BEF7E1344A8B6957EC2131C6ED891EB837FF1F12A3F74846C/analysis/; classtype:trojan-activity; sid:25107; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Njrat variant outbound connection"; flow:to_server,established; content:"|7C 27 7C 27 7C|Win"; fast_pattern:only; content:"|7C 27 7C 27 7C|Yes|7C 27 7C 27 7C|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/349D85C0CDEA3C6B3467C06AB0AD2AFB53DF091E8FBF71AC4320D565ADD6623A/analysis/; reference:url,www.virustotal.com/file/3c3bd38fb908c4b6b33b3d83595d4bcef974379937f53b7a51e695ba71c1bd50/analysis/; classtype:trojan-activity; sid:25100; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Daws variant outbound connection"; flow:to_server,established; content:"/write.php"; fast_pattern:only; http_uri; content:"db="; depth:3; http_client_body; content:"&ch="; within:32; http_client_body; content:"&name="; within:16; http_client_body; content:"&email="; within:128; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6B16E4C0DB5E89EE9F93C85BA73F8BB5FC68C15A3E7981705B6BB9308C9E6323/analysis/; classtype:trojan-activity; sid:25099; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Daws variant outbound connection"; flow:to_server,established; content:"/list.php?db="; http_uri; content:"&p="; within:32; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6B16E4C0DB5E89EE9F93C85BA73F8BB5FC68C15A3E7981705B6BB9308C9E6323/analysis/; classtype:trojan-activity; sid:25098; rev:2;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"proxy server on port |5B|"; fast_pattern:only; content:"waiting for client |2E 2E 2E|"; nocase; content:"Authentication begin|2E 2E 2E 2E|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25093; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Halnine variant outbound connection"; flow:to_server,established; content:"Host|3A| temp.microsoftsupgrade.com|0D 0A|"; fast_pattern:only; content:"|0D 0A|Computer|3A 20|"; pcre:"/^GET \/(?P<name>[^\/]+)\/\s.*?\r\nComputer\x3a (?P=name)\r\n.*?(?P=name) Connected/smi"; metadata:impact_flag red, policy security-ips drop, service ssl; reference:url,www.virustotal.com/file/5334B3665EA1943F1DAF9C36931C1FE3D2682FE0F67868A3201EE052F890506F/analysis/; classtype:trojan-activity; sid:25077; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Worm.Joanap variant variant outbound connection"; flow:to_server,established; content:"TO|3A| Joana |3C|"; depth:11; content:"|7C|Windows "; within:72; distance:25; content:"|7C|"; within:3; distance:3; content:"|7C|"; within:32; pcre:"/\x3e\x0d\x0aSUBJECT\x3a (\d{1,3}\x2e){3}\d{1,3}\x7c[^\r\n]*\x7c\d{2,4}\x0d\x0a/G"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8a8f67c7794a39ab47eadc6ab43ac467478ddd231299141dc836efec374c2779/analysis/; classtype:trojan-activity; sid:25076; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; content:"/safe.swf"; fast_pattern:only; http_uri; content:"If-Modified-Since: Sat, 1 Jan 1970 00:00:00 GMT"; http_header; content:"mc="; nocase; content:"FhX8BuK0m21O"; within:60; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/14d3013aaba3a5bb9e0b8f0c6bde28e2ecd61d6347720f16322935fb8bb84f25/analysis/; classtype:trojan-activity; sid:25075; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/Post.Php?"; fast_pattern:only; content:"UserName="; nocase; content:"Bank="; nocase; content:"Money="; nocase; content:"Accept-Language:"; nocase; content:"zh-cn"; within:10; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/7d70bdcf5329404920570c96e084c78d8756bff8932832a357866eb4c57555cf/analysis/; classtype:trojan-activity; sid:25074; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lowzone variant outbound connection"; flow:to_server,established; content:"/zn.php"; fast_pattern:only; content:"gd="; nocase; content:"ox="; nocase; content:"osw="; nocase; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/40506be9531683cdf3e01524d6bc739b5f3ca3e9b4f9c5571341ee9cad380ce7/analysis/; classtype:trojan-activity; sid:25073; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dulom variant outbound connection"; flow:to_server,established; content:"/services.php"; fast_pattern:only; http_uri; content:"get="; nocase; http_uri; content:"ver="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25072; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Macnsed variant outbound connection"; flow:to_server,established; content:"/gtskinfo.aspx"; fast_pattern:only; content:"ver="; nocase; content:"m="; nocase; content:"p="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f32f4af269d5cfd038d7f3c421d4d725fcbd8469a7c8327845dbf03626aef0f2/analysis/; classtype:trojan-activity; sid:25071; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; content:".php?s="; nocase; http_uri; content:"g=nb.Install"; fast_pattern:only; http_uri; content:"m="; nocase; http_uri; content:"ml="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cbcc6536ebb20f9d936d88e20a29c1c1d9a55555623bf74ee6908d9c7c7af9b9/analysis/; classtype:trojan-activity; sid:25070; rev:3;)
# alert tcp $EXTERNAL_NET 6655 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Riler inbound connection"; flow:to_client,established; content:"NAME:"; fast_pattern:only; pcre:"/^(ATTR|AUTO|DDLL|DEAD|DISK|DONE|DOWN|FILE|KEEP|KILL|LIKE|LONG|MAKE|MOON|NAME|READ|SEEK|SEND|WAKE)\x3a/smi"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; reference:url,www.virustotal.com/file/1567389c8365c09b3d7833c4a5dedcc968b9b5f3f34a52f44f22b3666ef1768a/analysis/; classtype:trojan-activity; sid:25068; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6655 (msg:"MALWARE-CNC Win.Trojan.Riler variant outbound connection"; flow:to_server,established; content:"ID: NoID"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2010-3333; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-087; reference:url,www.virustotal.com/file/1567389c8365c09b3d7833c4a5dedcc968b9b5f3f34a52f44f22b3666ef1768a/analysis/; classtype:trojan-activity; sid:25067; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11<>20; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:!"Content-Disposition"; http_client_body; content:"Content-Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik.Kolilks variant outbound connection"; flow:to_server,established; content:"/kills.txt?"; fast_pattern:only; http_uri; pcre:"/\x2fkills\x2etxt\x3f(t\d|p)\x3d\d{6}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/24a892d90f819cea79dfe6f8acd007bad920dbf55c1bfdaffc984cb8efa32527/analysis/; classtype:trojan-activity; sid:25049; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Win.Trojan.Nevsyn variant outbound connection"; flow:to_server,established; content:"|00 00 08 02 00 00|"; depth:6; offset:2; content:"MB"; within:400; distance:32; content:"MHz"; within:64; distance:8; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/file/D0AB65722CCC937889D78DC0FFFC3CA865869C546634702CD4A6233F75122F44/analysis/; classtype:trojan-activity; sid:25030; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"Subject: Eu Te Adoro"; content:"/   Saborosas"; fast_pattern:only; content:"X-Library: Indy"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/39FAD1D9E19AED0845F655728D5CF6D9DB1745C5339102EBF2B6E778CAB82112/analysis/; classtype:trojan-activity; sid:25029; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Peed variant outbound connection"; flow:to_server,established; content:"=Type of Procfssor:"; fast_pattern:only; http_uri; content:"/adload.php?"; http_uri; content:"&table=adv"; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/97C8A6FFD5DAAD5822B929760C61F2A9EAAFB1CBDC1D0F895DF0E3219416BAE8/analysis/; classtype:trojan-activity; sid:25028; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Opachki variant connect to cnc-server"; flow:to_server,established; content:"/2/z.php"; http_uri; content:"&wv=%"; http_client_body; content:"&lang=%"; within:192; distance:8; http_client_body; content:!"User-Agent"; http_header; pcre:"/id=[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}/Pi"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/56834f6671aac3c5f4c88e892b5284b635b5ce77732800a72c3586270497f1b4/analysis/; classtype:trojan-activity; sid:25027; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Juasek variant outbound connection"; flow:to_server,established; dsize:10; content:"|05 01 00 01|"; depth:4; content:"|AD 9C|"; within:2; distance:4; content:!"Host:"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/583C3316D214E6ECB519E4E85CE5BC2354F0E2BD0E639B31BDA61E08BABD6F48/analysis/; classtype:trojan-activity; sid:25026; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Downloader.Recslurp variant outbound connection"; flow:to_server,established; dsize:10; content:"|20 00 05 00 00 00 06 00|"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/682386A14177AFFA24ED3C034EF34E2414ABEE6C77C369F3055BBB1C6BD9D8F8/analysis/; classtype:trojan-activity; sid:25025; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:"/task.php?"; http_uri; pcre:"/&version=\d{5}/U"; pcre:"/&user=[0-9a-z]{32}/U"; pcre:"/&server=\d{1,4}|0D 0A|/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/F289AD1E36081C165875C96806D3C65C479AFA7BC42BC31D1FEC4C6D1D1BE1C8/analysis/; classtype:trojan-activity; sid:25024; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:"/config.php"; http_uri; pcre:"/&version=\d{5}/U"; pcre:"/&user=[0-9a-z]{32}/U"; pcre:"/&server=\d{1,4}|0D 0A|/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/F289AD1E36081C165875C96806D3C65C479AFA7BC42BC31D1FEC4C6D1D1BE1C8/analysis/; classtype:trojan-activity; sid:25023; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dapato variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/cobra/cobra.php"; fast_pattern:only; http_uri; content:"action="; depth:7; http_client_body; pcre:"/^action=[^&]+?&host=instances\/[^&]+?&data=payloads\//miP"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e2e1ec9b7ab1564f599da3274dbe6143fbe80535e5db38b19429441608407116/analysis/; classtype:trojan-activity; sid:25022; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Azbreg variant outbound connection"; flow:to_server,established; content:"/0xabad1dea.php?"; fast_pattern:only; http_uri; content:"&c=37006"; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/68F6412ED6110ED8E2CDFBC478EFD797682213333A0E796DFC55C5A897E741E2/analysis/; classtype:trojan-activity; sid:25021; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"JOIN #rape anal"; fast_pattern:only; content:"blaze"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ircd; reference:url,www.virustotal.com/file/ab3a73bca380bfd055d27539cb2d131c8c3554835d4056282ce3271a590b27b2/analysis/; classtype:trojan-activity; sid:25016; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Perflog variant outbound connection"; flow:to_server,established; content:"Activity=20report:="; fast_pattern:only; content:"filename=|22|keystrokes.html|22|"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/84F821E6D910DCE421FA7D0411B14C07D48BA3A12854BA69E8C90119F80254FE/analysis/; classtype:trojan-activity; sid:25011; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Perflog variant outbound connection"; flow:to_server,established; content:"Perfect=20Keylogger=20was=20installed=20successfully:="; fast_pattern:only; content:"Perfect Keylogger was installed on the computer"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/file/84F821E6D910DCE421FA7D0411B14C07D48BA3A12854BA69E8C90119F80254FE/analysis/; classtype:trojan-activity; sid:25010; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Wealwedst variant outbound connection"; flow:to_server,established; content:"stealer"; depth:32; nocase; content:"PC|20|Name|3A 20|"; depth:128; fast_pattern; metadata:impact_flag red, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/d4f86317be349ad7de04a52de51ec3c465da7bc1f304ff063dfc90bd2c0ad274/analysis/; classtype:trojan-activity; sid:25007; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/tech/snwd.php?tp="; fast_pattern:only; http_uri; content:"tg="; http_uri; content:"tv="; http_uri; content:"mt="; http_uri; content:"tr="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/cdc95713a4d960944a4079ee820e18581582aa0ad3165ff1f604f6219c6fdff8/analysis/; classtype:trojan-activity; sid:24976; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Turspy variant outbound connection"; flow:to_server,established; content:"*deployedildi*"; http_uri; content:"/users/?msj="; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/ac58c198d6dd6544d72a01436cd505ca9a66f9c7a80f53c203c95bbc622ed02c/analysis/; classtype:trojan-activity; sid:24918; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Turspy variant outbound connection"; flow:to_server,established; content:"*acildi*"; http_uri; content:"?msj="; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/ac58c198d6dd6544d72a01436cd505ca9a66f9c7a80f53c203c95bbc622ed02c/analysis/; classtype:trojan-activity; sid:24917; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"/sntemp.php"; http_uri; content:"name=|22|serie7|22 0D 0A 0D 0A|exec|0D 0A|"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/F0BE2F1EE023091B86FCE52E1BFEA1342BB38B9C33CFE373B168EF1A02D3B163/analysis/; classtype:trojan-activity; sid:24916; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gnutler variant outbound connection"; flow:to_server,established; content:"User-Agent:|20|ver:"; fast_pattern:only; http_header; content:"|7C|os:"; http_header; content:"|7C|admin:"; http_header; content:"|7C|port:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/bc9ab894cf8229ab9b233d89595d962c7d226c8e72880d60d93f79fe4f7a6215/analysis/; classtype:trojan-activity; sid:24873; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Quarian variant outbound connection - proxy connection"; flow:to_server,established; content:"CONNECT"; http_method; content:"Proxy-Connetion|3A|"; fast_pattern:only; http_header; content:"Content_length|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/dce3412caecdb1c4959adb5794bbe3b69348b26b97360ef262acf5fd2c0dfa2c/analysis/; classtype:trojan-activity; sid:24858; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant outbound connection"; flow:to_server,established; content:"|78 9C 4B 63 60 60 98 03 C4 AC 40 CC 08 C4 1A 5C 0C 0C 4C 40 3A 38 B5 A8 2C 33 39 55 21 20 31 39 5B C1 88|"; depth:35; offset:13; metadata:impact_flag red; reference:url,www.virustotal.com/file/4fa53e258be227156143a53e3eb7fd44554aa4030d00bc73254cae95185b2efb/analysis/; classtype:trojan-activity; sid:24857; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Dycler variant outbound connection"; flow:to_server,established; content:"&Status=Lock"; fast_pattern; http_uri; content:"/flower.php?"; http_uri; pcre:"/id=\d{6,10}/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/9479062ED1BD310C373512981957AF7A7677BAF4F99486DDF74A389F096D258B/analysis/; classtype:trojan-activity; sid:24635; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Klovbot variant outbound connection"; flow:to_server,established; content:"/bots.php"; http_uri; content:"iName="; depth:6; http_client_body; content:"&STLftps="; within:128; distance:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/56517C442332FC29324078ADC310AEF075B53B33F7B0E94685A1548C3A5F1F9E/analysis/; classtype:trojan-activity; sid:24630; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla Firefox|0D 0A|"; fast_pattern:only; http_header; content:"A=AAAA"; depth:6; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/B41817971FB89C0D860AA9F220C414327EA7D3887DF402B4807622A822714216/analysis/; classtype:trojan-activity; sid:24623; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Barkiofork variant outbound connection"; flow:to_server,established; content:"/s/asp?"; fast_pattern:only; http_uri; content:"fAAAA"; nocase; http_uri; content:"-p="; within:80; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:24586; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Barus variant outbound connection"; flow:to_server,established; content:"/_hello.php?param=|9B 93 93 89 9A 8D 8C 96 90 91 C2|"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/F6B7DF4009F41D103F5B856F1C6F1E6C05667D21F4F7528EF554C7E2ADB4F39C/analysis/; classtype:trojan-activity; sid:24576; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"&ct=100000000"; fast_pattern:only; http_uri; content:"/server.php"; http_uri; pcre:"/[\x26\x3f]m=[0-9A-F]{12}/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/A7CE92B178FDB1CF4BCE31C05C6C190B024CF15B9AFC8ECCEFD53072AB2D9DDC/analysis/; classtype:trojan-activity; sid:24569; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Olmarik variant outbound connection"; flow:to_server,established; content:"/logum.php?log="; fast_pattern:only; http_uri; content:"|7C|id="; nocase; http_uri; content:"|7C|os="; nocase; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/B35C9D6A7D57A1B8FFFBA0F6DAB0DF859668A6D99446635367B629ED0FE3ABCD/analysis/; classtype:trojan-activity; sid:24567; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; content:"/adduser.php?uid="; nocase; http_uri; content:"&lan="; distance:0; nocase; http_uri; content:"&cmpname="; distance:0; nocase; http_uri; content:"&country="; distance:0; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CE3FCBDCB255109126530E343DCAF7E6E13C3E9A2B2DD088BBF089E16E83FC0E/analysis/; classtype:trojan-activity; sid:24566; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Msposer variant outbound connection"; flow:to_server,established; content:"/insert.php"; http_uri; content:"action=online&computer="; fast_pattern:only; http_uri; pcre:"/&range=(\d{1,3}\x2e){3}\d{1,3}\x2d/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/AC7699962AA27C68D441599D01F3482FC1939AF2AF11A46866FEF88F5BC339CE/analysis/; classtype:trojan-activity; sid:24565; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Helai variant outbound connection"; flow:to_server,established; content:"CONNECTED|7C|"; depth:10; content:"MHz|0D 0A|"; distance:0; content:"|7C|Idle...|7C|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/file/3FEBD33757873A55036D3A8C16E9369AF67625FAD1E32A904C78A8E8363C7101/analysis/; classtype:trojan-activity; sid:24564; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Veli variant outbound connection"; flow:to_server,established; content:"Yuok$$"; fast_pattern:only; http_client_body; content:"User-Agent: Asynchronous WinHTTP/1.0"; nocase; http_header; content:"logon.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/953a812f745cb3b0e5abc59c5df68dcb8e3db2ee0af8ae419480cc2c2ada27f4/analysis/; classtype:trojan-activity; sid:24563; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; content:"/Stat.ashx?Mac="; nocase; http_uri; content:"&Hard="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/D61738809C78F44359D1B33DEACA138A2A912A98FDD1686D23D16A78B3A717E6/analysis/; classtype:trojan-activity; sid:24562; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Beystreet variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?act=user"; nocase; http_uri; content:"Version="; http_client_body; content:"&Permissions="; distance:0; http_client_body; content:"&Build="; distance:0; http_client_body; content:"&hash="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/ab7016a4cdd0cacb7b555560173fc3e8075a70ee14fd30aca5595b08d578d26b/analysis; classtype:trojan-activity; sid:24542; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Unebot variant outbound connection"; flow:to_server,established; content:"|C7 70 1D 29 99 5F AE 42 81 B6 91 BB 1D 87 2E 3B|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/file/e35a35a9b88271c15365de50810d5f2f6e3fecf647ade39a5cd3aa327f5ba510/analysis; classtype:trojan-activity; sid:24541; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom variant outbound connection"; flow:to_server,established; content:"/gate.php|3F|"; http_uri; content:"cmd|3D|"; http_uri; content:"|26|botnet|3D|"; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24539; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; content:"/envio.php"; http_uri; content:"destinatario|3D|"; http_client_body; content:"|26|titulo"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24534; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/~monducci/email.php"; fast_pattern:only; http_uri; content:"remetente"; http_client_body; content:"assunto=Infect"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/c984c3077daffeaf19cecda6d0ca6eac5102af9dd0e9cfd93867fd22d47cac49/analysis/; classtype:trojan-activity; sid:24533; rev:2;)
alert tcp $EXTERNAL_NET 406 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Scondatie.A inbound connection"; flow:to_client,established; content:"<div id=|22|sina_keyword_ad_area2|22| class=|22|articalContent|22|>"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/0CF369DA7188B4634E8EC6F303F0F14D2D54E89B0E0EF90DF4EEAF4857875D21/analysis/; classtype:trojan-activity; sid:24532; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 406 (msg:"MALWARE-CNC Win.Trojan.Scondatie.A variant outbound connection"; flow:to_server,established; content:"GET /gg.txt?qsEwvCtsuBCBB???}.html"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/0CF369DA7188B4634E8EC6F303F0F14D2D54E89B0E0EF90DF4EEAF4857875D21/analysis/; classtype:trojan-activity; sid:24531; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Begman variant connection to cnc-server"; flow:to_server,established; content:"php?"; nocase; http_uri; content:"v="; nocase; http_uri; pcre:"/id=\x2d?\d{10}/iU"; content:"&wv="; nocase; http_uri; content:"WORKED|0D 0A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/7086615a407e51114fac453aa6bef784f68ce8601e7b29459e0b2c4ee883bc8f/analysis/; classtype:trojan-activity; sid:24529; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"MALWARE-CNC Win.Backdoor.MautoitRAT variant outbound connection"; flow:to_server,established; content:"SISTEMA= "; fast_pattern:only; content:"PASS= "; content:"COMPUTER= "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/4245935950f1423fee4531a945634985ac15e04f5a99d5b1599449c5078ac366/analysis/; classtype:trojan-activity; sid:24523; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Lucuis variant outbound connection"; flow:to_server,established; content:"user_login.php"; fast_pattern:only; content:"|8D F3 75 EA DC|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:24514; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.BanSpy variant outbound connection"; flow:to_server,established; content:"Endere|E7|o|3A| "; content:"Vers|E3|o do Windows|3A| "; fast_pattern:only; content:"Nome no PC|3A| "; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/file/43a08096543312fdb1a700255f31780b3b19c66b2df2e6195f127fcba736c108/analysis/; classtype:trojan-activity; sid:24505; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; content:"/omerta/Mail/Mail1.3.php?"; http_uri; content:"OS=Windows"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f7eff299783ff52a27fb25f479868eebb4e838ef8a5af0b123d316a712b522e8/analysis/; classtype:trojan-activity; sid:24504; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/unshopping3.cgi?b="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24497; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24496; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/cgi-bin/rokfeller3.cgi?v=11"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24495; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/images2/"; nocase; isdataat:500,relative; pcre:"/^\/images2\/[0-9a-fA-F]{500,}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24494; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/html/license_"; nocase; http_uri; isdataat:550,relative; pcre:"/\/html\/license_[0-9A-F]{550,}\.html$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24493; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/se/"; nocase; http_uri; isdataat:100,relative; pcre:"/\/se\/[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:24492; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo redirection landing page pre-infection"; flow:to_server,established; content:"/cgi-bin/r.cgi"; depth:14; nocase; http_uri; content:"?p="; distance:0; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&h="; distance:32; nocase; http_uri; content:"&u="; distance:0; nocase; http_uri; content:"&q="; distance:0; nocase; http_uri; content:"&t="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www9.dyndns-server.com:8080/pub/botnet-links.html; classtype:trojan-activity; sid:24491; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chif variant outbound connection"; flow:to_server,established; content:"/?f=ZnRwOi8v"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3d5f26b36d57268e01c60ad1fd0d6b36bd4fdc3b2e83cea231b1f9ff635a6f50/analysis; classtype:trojan-activity; sid:24482; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Quervar variant outbound connection"; flow:to_server,established; content:"/bl/in.php?"; http_uri; content:"&pin="; within:5; distance:8; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/25016e3f710309e52590dafae364fc5f4f4e7310f29ace6a139ca082eca1ff39/analysis/; classtype:trojan-activity; sid:24451; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Tibeli variant outbound connection"; flow:to_server,established; content:"|DC C1 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; metadata:impact_flag red, service ssl; reference:url,www.virustotal.com/file/3559247fb056e8f695bdf2e3fed2962a7a8653e9f52cf445c933d7adc0ea2303/analysis/; classtype:trojan-activity; sid:24450; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Java.Exploit.Agent variant outbound connection"; flow:to_server,established; content:"/meeting/hi.exe"; http_uri; content:"Java/1.7"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/6A1ABD938F304E08EC495B305BE4AD3151FE29372B07748FF0B5BF7E0B083689/analysis/; classtype:trojan-activity; sid:24449; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/feed?type="; http_uri; content:"empty&ua="; within:9; fast_pattern; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/057E128C712B7EE40F0A868083298606EC4FF3EBB7E91457B57991CC0A38C4AF/analysis/; classtype:trojan-activity; sid:24445; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/feed?type="; http_uri; content:"live&ua="; within:8; fast_pattern; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/057E128C712B7EE40F0A868083298606EC4FF3EBB7E91457B57991CC0A38C4AF/analysis/; classtype:trojan-activity; sid:24444; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/feed?type="; http_uri; content:"search&ua="; within:10; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/057E128C712B7EE40F0A868083298606EC4FF3EBB7E91457B57991CC0A38C4AF/analysis/; classtype:trojan-activity; sid:24443; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chiviper variant outbound connection"; flow:to_server,established; content:"d10="; http_uri; content:"d11="; http_uri; content:"d21="; http_uri; content:"d22="; http_uri; content:"User-Agent|3A| Example"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/1b79d2d27a386ab40a1452514cf82f8aa65c7c406610787ac8be7cb9f710859b/analysis/; classtype:trojan-activity; sid:24440; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Encriyoko variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Go http package|0D 0A|"; fast_pattern:only; http_header; content:"/downs/zdx.tgz"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9562bd4c4fa237ba85247d7c4cf0f9ab7631a97f1c641eaf3aa66223726a909f/analysis/; classtype:trojan-activity; sid:24439; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mirage variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"result?hl=en&meta="; fast_pattern:only; http_uri; content:"Mjtdkj"; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign; classtype:trojan-activity; sid:24438; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mirage variant outbound connection"; flow:to_server,established; content:"AE4AZQBvACwAdwBlAGwAYwBvAG0AZQAgAHQAbwAgAHQAaABlACAAZABlAHMAZQByAHQAIABvAGYAIAByAGUAYQBsAC4"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/the-mirage-campaign; classtype:trojan-activity; sid:24437; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Misun variant outbound connection"; flow:to_server,established; content:"ET"; depth:2; http_method; content:"User-Agent: Mozilla/100"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/bd908ed0fe27c3e98dbde9e0efd4cad58af4ab2a288b50cfff93a2c148c09db0/analysis/; classtype:trojan-activity; sid:24420; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/phpbb/get.php?id="; http_uri; content:"&key="; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/0633C09825760DC8107947FDE583D1F6CDD19E101BAB81A05CBAE514CDEEC5F6/analysis/; classtype:trojan-activity; sid:24419; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vundo variant outbound connection"; flow:to_server,established; content:"/phpbb/slog.php?install="; http_uri; content:"User-Agent: IExplorer"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/0633C09825760DC8107947FDE583D1F6CDD19E101BAB81A05CBAE514CDEEC5F6/analysis/; classtype:trojan-activity; sid:24418; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/wen/index.php"; http_uri; content:"smk=AmFvZj9lZ3ZlcGNg"; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/cfe492a324dac1d5dc852d5ea7910a8c775254d47a0d6b9776e36653f3850ed9/analysis/ ; classtype:trojan-activity; sid:24417; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/wen/index.php"; http_uri; content:"smk=AmFvZj9lZ3ZycG16ew=="; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/cfe492a324dac1d5dc852d5ea7910a8c775254d47a0d6b9776e36653f3850ed9/analysis/; classtype:trojan-activity; sid:24416; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; content:"/cgi-bin/counter.cgi"; fast_pattern:only; http_uri; content:"Host:"; nocase; http_header; pcre:"/^Host\x3a\s*(194.192.14.125|202.75.58.179|flashupdates.info|nvidiadrivers.info|nvidiasoft.info|nvidiastream.info|rendercodec.info|syncstream.info|videosync.info)/smiH"; flowbits:set,malware.miniflame; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, service http; reference:url,www.virustotal.com/file/741c49af3dbc11c14327bb7447dbade53f15cd59b17f1d359162d9ddbfdc1191/analysis/; classtype:trojan-activity; sid:24407; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MiniFlame variant outbound connection"; flow:to_server,established; content:"/cgi-bin/feed.cgi"; fast_pattern:only; http_uri; content:"Host:"; nocase; http_header; pcre:"/^Host\x3a\s*(cache.dyndns.info|flashcenter.info|flashrider.org|webapp.serveftp.com|web.autoflash.info|webupdate.dyndns.info|webupdate.hopto.org|web.velocitycache.com)/smiH"; flowbits:set,malware.miniflame; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24406; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Banker variant outbound connection"; flow:to_server,established; content:"/checkinfect.php"; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3bc048dc2e3df418718dbfe07957e526af87a4e3b762b76ea507712c89d7ff33/analysis/; classtype:trojan-activity; sid:24405; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Mooochq variant outbound connection"; flow:to_server,established; content:"/index000000"; content:"Content-Length: 000041|0D 0A|"; content:"|89 98 89 88 92 8C 80 92 84 92 9E 85 8C 9F 9D E0|"; within:16; distance:2; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/4a03c174c247a86501889baca416811fd794fa4cef501121ba0be8bc78964d4d/analysis/; classtype:trojan-activity; sid:24399; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Mooochq variant outbound connection"; flow:to_server,established; content:"/search?n=000000002&DUDE_AM_I_SHARP"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/4a03c174c247a86501889baca416811fd794fa4cef501121ba0be8bc78964d4d/analysis/; classtype:trojan-activity; sid:24398; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tracur variant outbound connection"; flow:to_server,established; content:"/se.php?"; fast_pattern:only; http_uri; pcre:"/((pop\=\w+)+.*(aid\=\w+)+.*(sid\=\w+)+.*(key\=\w+))/Usi"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/b5aebbf2d4ab57a09f9d006289b91b153ed3858f68f3b71f86c27fd5b17f675b/analysis; classtype:trojan-activity; sid:24385; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tracur variant outbound connection"; flow:to_server,established; content:"/inst.php?aid=hidden"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/b5aebbf2d4ab57a09f9d006289b91b153ed3858f68f3b71f86c27fd5b17f675b/analysis; classtype:trojan-activity; sid:24384; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dipwit outbound connection"; flow:to_server,established; content:"w=|00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; content:"/sd.php"; nocase; http_uri; content:"POST"; http_method; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/bf30046997b0a6a1c18d19ecf0830b1c67a04b372a9b9013ba7d0ad2ad9e112b/analysis; classtype:trojan-activity; sid:24383; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.XBlocker outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (SPGK)"; fast_pattern:only; http_header; content:"/rz/report.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24382; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.XBlocker outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (SPGK)"; fast_pattern:only; http_header; content:"/rz/mn.php?ver="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/68051395c25797dc668101cdd0086109cfae0114cf4d2df7d241035378b1ec13/analysis; classtype:trojan-activity; sid:24381; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB variant outbound connection"; flow:to_server,established; content:"/reportmac.asp"; nocase; http_uri; content:"User-Agent: http"; fast_pattern:only; http_header; content:"anma="; nocase; http_uri; content:"zhanghao="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e2636ae650252d760e15b13d80603d48081ebb664e6143fe1a257b4cd015d2c0/analysis/; classtype:trojan-activity; sid:24375; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Agent variant outbound connection"; flow:to_server,established; content:"/TestURL.asp"; http_uri; content:"1234567890"; depth:10; http_client_body; content:"User-Agent: www|0D 0A|"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/48BC6C0DF3302F7EAA6061C4F3B0357B4C512D5BD6F6088ABC6FC274F2EFC5AA/analysis/; classtype:trojan-activity; sid:24374; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper.Agent variant outbound connection"; flow:to_server,established; content:"/Nfile.asp"; http_uri; content:"GetFile"; depth:7; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/48BC6C0DF3302F7EAA6061C4F3B0357B4C512D5BD6F6088ABC6FC274F2EFC5AA/analysis/; classtype:trojan-activity; sid:24373; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Lizamoon sql injection campaign ur.php response detected"; flow:to_client,established; flowbits:isset,lizamoon.get.ur; content:"parkinglot="; content:"parkinglot="; http_cookie; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.edu/diary.html?storyid=10642; classtype:misc-activity; sid:24369; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Lizamoon sql injection campaign phone-home"; flow:to_server,established; content:"/ur.php"; fast_pattern:only; http_uri; content:".asp"; http_header; pcre:"/Referer\x3a [^\r\n]+\.aspx?/iH"; flowbits:set,lizamoon.get.ur; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.edu/diary.html?storyid=10642; classtype:misc-activity; sid:24368; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi.Prinimalka variant outbound connection"; flow:to_server,established; content:"/system/prinimalka.py/"; fast_pattern:only; http_uri; content:"user_id="; http_uri; content:"version_id="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/39009996a0f1c9deca07bd63c53741e7c2081820fbc8b84e0f6375b5f529fae7/analysis/; classtype:trojan-activity; sid:24361; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; content:"User-Agent"; http_header; content:"Forthgoer"; within:15; http_header; pcre:"/(\&d[0-9]{2}=.*?)+/Usi"; content:"GET"; http_method; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/0377724b0060a6a92795d43f688d8f4fc5d1be2ac114fb5427035d8490a3e0e5/analysis; classtype:trojan-activity; sid:24350; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; content:"sqmimg"; fast_pattern:only; http_header; content:"help"; http_uri; content:"POST"; http_method; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/0377724b0060a6a92795d43f688d8f4fc5d1be2ac114fb5427035d8490a3e0e5/analysis; classtype:trojan-activity; sid:24349; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Bloropac variant outbound connection"; flow:to_server,established; content:"novo.php"; content:"to="; depth:3; http_client_body; content:"subject=%"; http_client_body; content:"message=infectado"; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/E5B920CBEE2CB1118A09F7130CFC23E3515D71F32478E94C6BF70543A6C02647/analysis/; classtype:trojan-activity; sid:24347; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"/send/log.php"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"id=%"; depth:4; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/4D2488CDA8637346C8020BFBEE10E8450030EECD410BE30B80348285985E583C/analysis/; classtype:trojan-activity; sid:24346; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Drexonin variant outbound connection"; flow:to_server,established; content:"/create.php"; http_uri; content:"idmq=1&id="; depth:10; fast_pattern; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/FF821D0D6B7477EA825838ED7D38905A36F1CA13C4218F4ABC30B3740E869A00/analysis/; classtype:trojan-activity; sid:24345; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; content:"Readmeee.txt"; fast_pattern:only; pcre:"/STOR\s+[01]{1}[0-9]{1}-[0-3]{1}[0-9]{1}-[0-9]{2}_[0-2]{1}[0-9]{1}-[0-6]{1}[0-9]{1}-[0-6]{1}[0-9]{1}Readmeee\x2etxt/si"; metadata:impact_flag red, service ftp; reference:url,www.virustotal.com/file/9bb5acdff3bb64a6f2b82868763c9214d688f8f375f4adee251de5e994adf0ab/analysis; classtype:trojan-activity; sid:24341; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredolab initial CNC connection"; flow:to_server,established; content:"mrmun_sgjlgdsjrthrtwg.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/6cb36a8d0adb9375b4cc48765c49643514477fbc3a804af32f52704fa7ec17b7/analysis; classtype:trojan-activity; sid:24340; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Agent variant connect to cnc-server"; flow:to_server,established; content:"/app_new/"; fast_pattern; nocase; http_uri; content:"User-Agent: IE9"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1A6DA8E84ABC485C6CA1ABC57D9B65E4EC420364C34F9EC18DCB38E7C226DEC2/analysis/; classtype:trojan-activity; sid:24334; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Workir variant outbound connection"; flow:to_server,established; content:"uden.php"; fast_pattern:only; http_uri; content:"app_type_id="; nocase; http_uri; content:"&wm_id="; nocase; http_uri; content:"&u="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/bdf6bb0f5453b3268bc4a7c9e53d736c14369bd86fef5645ef1eb1624303a0d5/analysis; classtype:trojan-activity; sid:24308; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Workir variant outbound connection"; flow:to_server,established; content:"hit.php"; fast_pattern:only; http_uri; content:"&app_type_id="; nocase; http_uri; content:"&wm_id="; nocase; http_uri; content:"&u="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/bdf6bb0f5453b3268bc4a7c9e53d736c14369bd86fef5645ef1eb1624303a0d5/analysis; classtype:trojan-activity; sid:24307; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Flexty variant outbound connection"; flow:to_server,established; content:"GET favicon.ico"; pcre:"/Cookie\:\s+[0-9a-f]{12}[^\r\n]+\r\n\x00{4}.{4}/i"; metadata:impact_flag red, service ssl; reference:url,www.virustotal.com/file/ae7dced8e152c6fc919276744d774cc1c290012ac1bcf673e998beba7aee0028/analysis/; classtype:trojan-activity; sid:24288; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Minitalviv variant outbound connection"; flow:to_server,established; content:"device_t="; nocase; http_uri; content:"key="; distance:0; nocase; http_uri; content:"device_id="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24287; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lurk variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/search|3F|hl|3D|us|26|source|3D|hp|26|q|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24286; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nomno variant outbound connection"; flow:to_server,established; content:"c="; content:"%3Dshell_exec%28%27"; fast_pattern:only; content:"c="; http_cookie; content:"%3Dshell_exec%28%27"; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24285; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Bancos variant outbound connection"; flow:to_server,established; content:"/procopspro.php"; nocase; http_uri; content:"op="; depth:3; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/DE6BD09AEB11913178CF2715F978934DA7C8173E61713E0BE88BD39FB0747693/analysis/; classtype:trojan-activity; sid:24271; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"Y2xrPTQu"; fast_pattern:only; http_uri; content:"GET /"; depth:5; isdataat:100,relative; content:!" "; within:100; base64_decode:relative; base64_data; content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5; distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:24243; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wuwo post infection variant outbound connection"; flow:to_server,established; content:"/DES"; depth:4; fast_pattern; http_uri; content:".jsp?"; distance:0; http_uri; pcre:"/\/DES\d{9}O\d{4,5}\x2ejsp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24236; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wuwo initial infection variant outbound connection"; flow:to_server,established; content:"/AES"; depth:4; fast_pattern; http_uri; content:".jsp?"; distance:0; http_uri; pcre:"/\/AES\d{9}O\d{4,5}\x2ejsp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/69C8178F867C9CF75D813285A9D80B5CCB73D46F99D54FA7043794190D2C7685/analysis/; classtype:trojan-activity; sid:24235; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server,established; content:"/counter.img?theme="; nocase; http_uri; content:"&digits=10&siteId="; distance:0; fast_pattern; nocase; http_uri; pcre:"/counter.img\?theme\=\d+\&digits\=10\&siteId\=\d+$/Ui"; content:"User-Agent|3A 20|Opera/9 (Win"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity; sid:24224; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy variant outbound connection"; flow:to_server,established; content:"/1.php"; nocase; http_uri; content:"name|3D 22|nome|22|"; nocase; http_client_body; content:"name|3D 22|texto|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2f4624795d22528e629a83dc40b01810e89ea9e3c0e584ec4db1286f091b7eb7/analysis/; classtype:trojan-activity; sid:24217; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Biloky variant outbound connection"; flow:to_server,established; content:"/loc/gate.php|3F|"; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSlE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/41d6db389438c2ca66262e64152a9e9f8cde55d3643a387a6241d7a2431c8ce5/analysis/; classtype:trojan-activity; sid:24216; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/index_post.php"; fast_pattern:only; http_uri; content:"tipo|3D|"; nocase; http_client_body; content:"XP|3D|"; nocase; http_client_body; content:"OUTROS|3D|"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e82b4000b71c4b01f361556422bafbdc8f148072fe74e2a1667e85a7ae94cb5a/analysis/; classtype:trojan-activity; sid:24215; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Seveto variant outbound connection"; flow:to_server,established; content:"/svcs.php"; http_uri; content:"m|3D|"; http_uri; content:"v|3D|"; http_uri; content:"s|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f7da52bf05bfd32f503ee653a1e1b22ad5a6b00597ebbe172158db12c9a75ff2/analysis/; classtype:trojan-activity; sid:24214; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Xamtrav update protocol connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; fast_pattern:only; http_uri; content:"X-Session:"; nocase; http_header; content:"X-Status:"; nocase; http_header; content:"X-Size:"; nocase; http_header; content:"X-Sn:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9442f513416e352b7b3e340a05541751d48f17fde61b1766bdd11f25bb13fcc2/analysis/; classtype:trojan-activity; sid:24211; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Raven variant outbound connection"; flow:to_server,established; content:"/work.php?or="; http_uri; content:"&method="; within:8; distance:1; http_uri; content:"&sport="; within:24; distance:8; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/9489fe25cd0b4cc7a35f455c1dbb0f0faffe0de5294286227602f04dfc6ad8a5/analysis/; classtype:trojan-activity; sid:24191; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Work.Rokiwobi inbound command from C&C"; flow:to_client,established; file_data; content:"cmdtimer~~"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/8ec9b371b8a2092ffe93ac32e5029911c118256504fb9ba1426830010a513119/analysis/; classtype:trojan-activity; sid:24185; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Rokiwobi variant outbound connection"; flow:to_server,established; content:"/generic/host.php"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/8ec9b371b8a2092ffe93ac32e5029911c118256504fb9ba1426830010a513119/analysis/; classtype:trojan-activity; sid:24184; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Helompy variant outbound connection"; flow:to_server,established; content:"cmd.php?command="; fast_pattern:only; http_uri; content:"____USER="; http_uri; content:"____COMP="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/a869eec0d669facb214a6238268dea01c4480a17a6c6ec08049471fcaefd4bb3/analysis/; classtype:trojan-activity; sid:24182; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lataa variant outbound connection"; flow:to_server,established; content:"/bad.php"; http_uri; content:"w="; http_uri; content:"i="; http_uri; content:"a="; http_uri; pcre:"/w=\d{2}&i=[a-f0-9]{32}/Usmi"; content:"User-Agent|3A| Opera/6 (Windows NT "; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1a70b0947a25356f791e83f25435c30446cdf9da44cc113f63eea487aca82146/analysis/; classtype:trojan-activity; sid:24175; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lataa variant outbound connection"; flow:to_server,established; content:"/stat.php"; http_uri; content:"w="; http_uri; content:"i="; http_uri; content:"a="; http_uri; pcre:"/w=\d{2}&i=[a-f0-9]{32}/Usmi"; content:"User-Agent|3A| Opera/6 (Windows NT "; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1a70b0947a25356f791e83f25435c30446cdf9da44cc113f63eea487aca82146/analysis/; classtype:trojan-activity; sid:24174; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; content:"|78 9C 2B 4B 2D B2 35 54 CB C9 4F CF CC B3 CD 2E CD CE 49 4C CE 48 2D 53 CB 4D 4C 2E CA 2F 4E 2D 8E 2F|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/14429942c5fa23cb0364880280c92f2122f22a60cd3f5c1cff3662ecfd92a8d5/analysis/; classtype:trojan-activity; sid:24169; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clisbot variant outbound connection"; flow:to_server,established; content:"|CD 12 1B AB 7C 03 00 00 00 00 00 00 44 01 00 00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/d33d14daa96a66b53ab6f2428f635fe2e0dce905f94a44654e7c19e905c5f567/analysis/; classtype:trojan-activity; sid:24092; rev:5;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in ICMP"; content:"|08 00 45|"; depth:3; offset:12; content:"|00 00|"; within:2; distance:5; content:"|06|"; within:1; distance:1; content:"|00 00 00 00|"; within:4; distance:18; metadata:impact_flag red, policy max-detect-ips drop; reference:url,attack.mitre.org/techniques/T1048/; reference:url,www.virustotal.com/#/file/7dde04222d364b6becbc2f36d30ce59a5ec25bf4c3577d0979bb1b874c06d5dc/; classtype:trojan-activity; sid:24088; rev:6;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Bledoor TCP tunnel in UDP"; flow:to_server; content:"|08 00 45|"; depth:3; offset:12; content:"|00 00|"; within:2; distance:5; content:"|06|"; within:1; distance:1; content:"|00 00 00 00|"; within:4; distance:18; metadata:impact_flag red, policy max-detect-ips drop, service dns; reference:url,attack.mitre.org/techniques/T1048/; reference:url,www.virustotal.com/#/file/7dde04222d364b6becbc2f36d30ce59a5ec25bf4c3577d0979bb1b874c06d5dc/; classtype:trojan-activity; sid:24087; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|i|22 0D 0A 0D 0A|exec|0D 0A|--"; fast_pattern; nocase; http_client_body; content:"|3B 20|name=|22 78 22 0D 0A|"; within:64; distance:20; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/005adb35d613c77c9613b3d1c82aa4b8ff87a8b17b77b0e235a919ebc566b5c4/analysis/; classtype:trojan-activity; sid:24082; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upof variant outbound connection"; flow:to_server,established; content:"/ASLK/"; depth:6; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/b19b2b8248bbd3d4ec9b52d63db9780838394bb9c01b2e76365f0e6207ea6504/analysis/; classtype:trojan-activity; sid:24077; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hufysk variant outbound connection"; flow:to_server,established; content:"/j.php|3F|u|3D|"; fast_pattern:only; http_uri; content:"&v=f2&r="; depth:8; offset:41; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/bff436d8a2ccf1cdce56faabf341e97f59285435b5e73f952187bbfaf4df3396/analysis/; classtype:trojan-activity; sid:24062; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Downloader.Inject variant outbound connection"; flow:to_server,established; content:"/update/count.asp"; fast_pattern:only; http_uri; content:"Host|3A| www.cdigroups.com"; http_header; content:"HostName|3A| "; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/DA16D93785461192001FBFF760AE2EF617AD244724BF3E48D4C7073E641C8F88/analysis/; classtype:trojan-activity; sid:24035; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Madon variant outbound connection - variant outbound connection"; flow:to_server,established; content:"/Strux/Zombies.php"; fast_pattern:only; http_uri; pcre:"/\/Strux\/Zombies\.php\?1=\{[^\}]+\}/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/DDABAC45B1A6667CE4D533D9684FCCF44802C9099273986B80867827A39630EE/analysis/; classtype:trojan-activity; sid:24016; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; content:".asp?"; content:"mac="; within:4; content:"&ver="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cbot variant outbound connection - inital contact"; flow:to_server,established; content:"Host|3A| source.boxtips.net"; fast_pattern:only; http_header; content:".aspx"; nocase; http_uri; pcre:"/\/(archive|bestbuy)\.aspx$/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/e706dc87a163ea04c178d4454014c766b049e4f5cf66ebd40e6c51738278700b/analysis/; classtype:trojan-activity; sid:24014; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cbot variant outbound connection - inital contact"; flow:to_server,established; content:"Host|3A| name.armact.com"; fast_pattern:only; http_header; content:".aspx"; nocase; http_uri; pcre:"/\/(archive|bestbuy)\.aspx$/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/e706dc87a163ea04c178d4454014c766b049e4f5cf66ebd40e6c51738278700b/analysis/; classtype:trojan-activity; sid:24013; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cbot variant outbound connection - inital contact"; flow:to_server,established; content:"Host|3A| photo.goldsignal.net"; fast_pattern:only; http_header; content:".aspx"; nocase; http_uri; pcre:"/\/(archive|bestbuy)\.aspx$/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/e706dc87a163ea04c178d4454014c766b049e4f5cf66ebd40e6c51738278700b/analysis/; classtype:trojan-activity; sid:24012; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransomer variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/g.php"; fast_pattern; http_uri; content:"uuid="; http_client_body; content:"&os="; within:4; distance:16; http_client_body; content:"&t="; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/dfeb49a356f2c5afbe0ff6166aa504548ba4189fd9b66f6a0a0341b5c8a4606d/analysis/; classtype:trojan-activity; sid:24011; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC runtime Trojan.Radil variant outbound connection"; flow:to_server,established; dsize:<50; content:"Kris"; depth:4; offset:8; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/8c50bf99178cee6e6cb09325ac7a56e00426ff9db90b45e13ce2c5b491db0a80/analysis/; classtype:trojan-activity; sid:24010; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik.Kazy variant outbound connection"; flow:to_server,established; content:"|07 00 00 00|"; depth:4; http_client_body; content:"|00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 0E 00 00 00 0A 0F 10 11 1B 2E|"; within:30; distance:4; fast_pattern:10,20; http_client_body; content:"|15 12 0E 0F 18 31|"; within:6; distance:42; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2d8e630ecffa5d95db6a1a9cc430e6e72d59649575cfc29c8602155955541f41/analysis/; classtype:trojan-activity; sid:23987; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"MALWARE-CNC Win.Trojan.Hostposer variant outbound connection"; flow:to_server,established; content:"|65 00 78 00 65 00 63 00 20 00 61 00 64 00 64 00 5F 00 61 00 76 00 73 00 28 00 27|"; fast_pattern:only; content:"|27 00 30 00 27 00 2C 00 27 00 30 00 27 00 2C 00 27 00 30 00 27|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service mysql; reference:url,www.virustotal.com/file/8608CC320757256E8AE80DAF8895EC98BB4FDF589F90C79EED74062B497ECF4C/analysis/; classtype:trojan-activity; sid:23978; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8881:8888] (msg:"MALWARE-CNC Win.Trojan.Genome runtime update to cnc-server"; flow:stateless; content:"BluvfmmftGfotufs$,,$"; depth:21; metadata:impact_flag red; reference:url,www.virustotal.com/file/c01b8dd62efbb8e28838bde9059c6f5e62541368ab225f98c68f144cfe5677ac/analysis/; classtype:trojan-activity; sid:23977; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8881:8888] (msg:"MALWARE-CNC Win.Trojan.Genome initial variant outbound connection"; flow:to_server,established; content:"$,,$Njdsptpgu!Xjoepxt"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/file/c01b8dd62efbb8e28838bde9059c6f5e62541368ab225f98c68f144cfe5677ac/analysis/; classtype:trojan-activity; sid:23976; rev:6;)
# alert tcp $EXTERNAL_NET [1024:65535] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Vampols variant inbound connection"; flow:to_client,established; content:"|0D 0A 0D 0A C2 C3 C4 C5 C6 C7 C0 C1|"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/28071cf9861a7b857248e7ab349591c8c615e7cae036a96a7f80907dcbd4cbdf/analysis/; classtype:trojan-activity; sid:23973; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; urilen:39; content:"/?xclzve_"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e11901864208c8468be6433b76f4d038cd298f387c9d61ffeadf5ea9e7402367/analysis/; classtype:trojan-activity; sid:23972; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Kabwak variant outbound connection"; flow:to_server,established; content:"|30 30 30 30 30|"; depth:5; content:"|66|"; depth:1; offset:15; content:"|9C 00 00 00|"; depth:4; offset:19; fast_pattern; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/6DAD949F5D6727CAFE80271B6B91DDCCDB4EE5C0FFDF39AE17B0E52B6EBF63FC/analysis/; classtype:trojan-activity; sid:23971; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crisis variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"|2F|stats|2E|asp|3F|site|3D|actual"; fast_pattern:only; http_uri; content:"Content-Length|3A| 112"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C093B72CC249C07725EC3C2EEB1842FE56C8A27358F03778BF5464EBEDDBD43C/analysis/; classtype:trojan-activity; sid:23968; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Runagry variant outbound connection"; flow:to_server,established; content:!"User-Agent"; http_header; content:".php?cpid=nv"; fast_pattern; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/dd2141783840d70ba7d9ca9fe9c608c8b73cf095a231159eddf44652e1185075/analysis/; classtype:trojan-activity; sid:23963; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Xhuna.A variant outbound connection"; flow:to_server,established; content:"/_xun_ha/index.html?aHR0cD1"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/378e0f166e399537e9e4c2ca882205b4a5872a5d524b6adfc75d6cd0c2c9a687/analysis/; classtype:trojan-activity; sid:23955; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Comfoo variant outbound connection"; flow:to_server,established; content:"|18 98 7A 68 30 A0 11 61 F1 75 F4|"; fast_pattern:only; content:"|B1 C2|"; depth:2; content:"|73 F4 AF 5D 94 22 EC CC|"; depth:8; offset:10; metadata:impact_flag red; reference:url,www.virustotal.com/file/F636A8653D83E261D20135355694CA2312130056A3BE58428EB56F760CE1C1D4/analysis/; classtype:trojan-activity; sid:23953; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4030 (msg:"MALWARE-CNC Win.Trojan.TKcik variant outbound connection"; flow:to_server,established; content:"KCIK"; depth:8; fast_pattern; pcre:"/[rs]{4}/"; metadata:impact_flag red, service ircd; reference:url,www.virustotal.com/file/1ADF609A4D9960FAA565F3CBC399B1472B77BCE99A33619B49AD2F3794055244/analysis/; classtype:trojan-activity; sid:23949; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Sicisono variant outbound connection"; flow:to_server,established; content:"|73 69 63 69 73 6F 6E 6F|"; depth:8; content:"$$Finish|A3 A3|"; fast_pattern; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3241ea9aa33835a0b192db10eba6ab09ca4f4e32f2aaf222f1117c98da45f602/analysis/; classtype:trojan-activity; sid:23948; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backdoor file download"; flow:to_server,established; content:"/_libs/wget.exe"; http_uri; content:"User-Agent|3A| Compressor ZIP do Windows"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23946; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backdoor variant outbound connection"; flow:to_server,established; content:"/registraMaquina*/"; nocase; http_uri; content:"User-Agent|3A| Clickteam"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C1EE4AA7DFBB02C4E9C1EA6A45D7C98EA10727661994BD595CADF4173415CFCA/analysis/; classtype:trojan-activity; sid:23945; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.C0D0SO0 variant outbound traffic"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"/index00"; nocase; content:".asp"; distance:0; nocase; pcre:"/\/index\d{9}\.asp/i"; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:23942; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Aharm variant outbound connection"; flow:to_server,established; content:"php?tr="; http_uri; content:"&e="; within:16; http_uri; content:"&p="; within:5; http_uri; content:"&seed="; within:21; fast_pattern; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/D852EE72D27509A259C203E61F0487ECF791E7EF5BA315AD3CA70D64F1C27AFF/analysis/; classtype:trojan-activity; sid:23941; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Ibabyfa.dldr variant outbound connection"; flow:to_server,established; content:"- f i r s t  - l o g f i l e"; content:"Username-"; within:32; distance:55; content:"Computer Name-"; distance:0; content:"Files Copied to"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/bf25f7588c58cd4b7cc5ac04ebfd00c5/detection; classtype:trojan-activity; sid:23938; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 682 (msg:"MALWARE-CNC Win.Trojan.Zakahic variant outbound connection"; flow:to_server,established; content:"asp?act=postmb&"; content:"&d20="; within:256; distance:4; metadata:impact_flag red; reference:url,www.virustotal.com/file/029c511a307de53e337181bf9aa155a4c485ccb2c3b27b121e8b76fae822ffb1/analysis/; classtype:trojan-activity; sid:23936; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3733 (msg:"MALWARE-CNC Win.Trojan.Zakahic variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|?mac="; content:"&os="; within:4; distance:12; content:"&ver="; within:16; content:"&fs="; within:8; distance:1; content:"&t="; within:8; distance:1; metadata:impact_flag red; reference:url,www.virustotal.com/file/029c511a307de53e337181bf9aa155a4c485ccb2c3b27b121e8b76fae822ffb1/analysis/; classtype:trojan-activity; sid:23935; rev:6;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; content:"/ajax_modal/modal/data.asp"; nocase; http_uri; content:"&state="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:23893; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dtfanri variant outbound connection"; flow:to_server,established; content:"InetURL:/1.0|0D 0A|"; fast_pattern:only; http_header; content:".php?Host="; http_uri; content:"&Data="; within:128; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/d9ca2ebdecbd92653afc769d8001f0ce124011656328ffad9be33f4217cd84a7/analysis/; classtype:trojan-activity; sid:23877; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scirib variant outbound connection"; flow:to_server,established; content:"/xmlrpc/includes/info.php?"; fast_pattern:only; http_uri; content:"w=Nombre%20de%20Usuario:"; http_raw_uri; content:"%0D%0ASistema%20Operativo:"; http_raw_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/931882c4d185b27d96e26f89627fbdd579d85a010f81cd27e13a1826a6632dc2/analysis/; classtype:trojan-activity; sid:23876; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [22,53,80,443,3111,4111,9111] (msg:"MALWARE-CNC FinFisher variant outbound connection"; flow:to_server,established; content:"|5C 00 00 00 A0 02 72 00 0C 00 00 00 40 04 FE 00|"; fast_pattern:only; metadata:impact_flag red; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:23826; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [22,53,80,443,3111,4111,9111] (msg:"MALWARE-CNC FinFisher initial variant outbound connection"; flow:to_server,established; content:"|0C 00 00 00 40 01 73 00|"; fast_pattern:only; metadata:impact_flag red; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:23825; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Gauss malware check-in"; flow:to_server,established; content:"/userhome.php?sid="; nocase; http_uri; content:"&uid="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23824; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control traffic"; flow:to_server,established; content:"Host|3A| kevincoe.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file/dc0ab3374be11b3bf35fe9c4fd9d76705d36f206a6b38f00651a9da77e7edc2e/analysis/; classtype:trojan-activity; sid:23794; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Locotout variant outbound connection"; flow:to_server,established; content:"external="; fast_pattern:only; pcre:"/x00externalx3dd{5,10}/"; metadata:impact_flag red; reference:url,www.virustotal.com/file/a2fcfb2bce352993a2e7823cd190eb365ce559c1d1ae14ce1aa2af7752476ece/analysis/; classtype:trojan-activity; sid:23788; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Locotout variant outbound connection"; flow:to_server,established; dsize:8; content:"|06 00|crap64"; depth:8; metadata:impact_flag red; reference:url,www.virustotal.com/file/a2fcfb2bce352993a2e7823cd190eb365ce559c1d1ae14ce1aa2af7752476ece/analysis/; classtype:trojan-activity; sid:23787; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus.kych variant outbound connection"; flow:to_server,established; content:"/25/index.php"; nocase; http_uri; content:"P-r"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3F2071D00FD4093A500F5287917A721334D7B96778C494C43A879CC3862B2CB8/analysis/; classtype:trojan-activity; sid:23782; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Begfanit.A outbound connection"; flow:to_server,established; content:"Trident/4.0|3B| Media Center PC 4.0|3B| SLCC1|3B| .NET CLR 3.0.04320)"; fast_pattern:only; content:"|0D 0A 0D 0A|"; base64_decode:relative; base64_data; pcre:"/^\w+\x3b.*?\x3b.*?\x3b/"; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.virustotal.com/file/cce53cf5bf99499b9577cc40e7c1803ef2d008dea5287b64825119ba57edb16a/analysis/; classtype:trojan-activity; sid:23780; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bublik variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/was/vas.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/73B6C213C7F5621A760936B5071A3FA43EFA66A94EBF05200D990229F210F0A1/analysis/; classtype:trojan-activity; sid:23778; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Gozi trojan checkin"; flow:to_server,established; content:"/viewtopic.php?f="; nocase; http_uri; content:"user_id="; nocase; http_client_body; content:"version_id="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/a6b6642b2cc6386d71c90c0a6bb27f873e13fa940f8bd568515515471f74b152/analysis/; classtype:trojan-activity; sid:23635; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Kegotip variant outbound connection"; flow:to_server,established; content:"CrgS|0A 00 00 00|"; depth:8; metadata:impact_flag red; reference:url,www.virustotal.com/file/CC7913E43487D6D3F5373B103441AC76534D7AD611A6E9F8DA45678CD993DBD5/analysis/; classtype:trojan-activity; sid:23634; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kegotip variant report to cnc-server"; flow:to_server,established; content:"index_get.php"; http_uri; content:"action=ADD_FTP"; fast_pattern:only; http_uri; content:"&ftp_host"; http_uri; content:"&ftp_login"; http_uri; content:"&ftp_pass"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CC7913E43487D6D3F5373B103441AC76534D7AD611A6E9F8DA45678CD993DBD5/analysis/; classtype:trojan-activity; sid:23633; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.YMrelay variant outbound connection"; flow:to_server,established; content:"|3C 6E 3E 56 3C 2A 3E|"; depth:7; content:"|3C 6E 3E|INIT|3C 2F 6E 3E|"; depth:32; offset:4; metadata:impact_flag red; reference:url,www.virustotal.com/file/9F2948176C8C5011732883388A7561D5BCF6EA6CD5A140D2E6E51066CE8CB428/analysis/; classtype:trojan-activity; sid:23630; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pincav variant outbound connection"; flow:to_server,established; content:"/Adminweb/news.asp?id=ZGlja3lA"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/73a97de02fb822dcde3e431e89d7458fd241ee8b80e6b907abd5a44c3fea3d39/analysis/; classtype:trojan-activity; sid:23628; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC ACAD.Medre.A variant outbound connection"; flow:to_server,established; content:"To|3A| |3C|me5uqyqyg|40|163.com|3E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aALisp%2fBlemfox.A; classtype:trojan-activity; sid:23615; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Worm.Crass.A variant outbound connection"; flow:to_server,established; content:"MODE New{"; nocase; content:"-x"; within:10; distance:1; nocase; content:" +iMm|0D 0A|"; within:16; distance:8; nocase; metadata:impact_flag red, service ircd; reference:url,www.virustotal.com/file/ee09b43c9c50b00b8021872845e36572/analysis/; classtype:trojan-activity; sid:23610; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sofacy.A outbound connection"; flow:to_server,established; content:"aspn/cgi-bin/"; fast_pattern:only; http_uri; pcre:"/^.*?aspn\x2fcgi-bin\x2f.*?\x2ecgi\?[a-z0-9]{8}_\w{1,}/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1E217668D89B480AD42E230E8C2C4D97/analysis/; reference:url,www.virustotal.com/file/9E4817F7BF36A61B363E0911CC0F08B9/analysis/; classtype:trojan-activity; sid:23607; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sofacy.A outbound connection"; flow:to_server,established; content:"U3RhcnRlZA=="; fast_pattern:only; http_client_body; pcre:"/^.*?aspn\x2fcgi-bin\x2f.*?\x2ecgi\?[a-z0-9]{8}_\w{1,}/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1E217668D89B480AD42E230E8C2C4D97/analysis/; reference:url,www.virustotal.com/file/9E4817F7BF36A61B363E0911CC0F08B9/analysis/; classtype:trojan-activity; sid:23606; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue outbound connection"; flow:to_server,established; urilen:15,norm; content:"User-Agent|3A| Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"/blog/image.php"; depth:15; http_uri; content:"hccA"; depth:4; http_client_body; content:"|0D 0A|"; within:2; distance:60; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/79de8adb01b29c8a9dff98449fb0906e7391c8e5f9062c5317014654d820cab2/analysis/; classtype:trojan-activity; sid:23600; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Slagent outgoing connection"; flow:to_server,established; content:"/TestConnection.htm"; fast_pattern:only; http_uri; content:"User-Agent: HTTPRequest"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/1d5c82d99e192d922365ee7d6736318c/detection; classtype:trojan-activity; sid:23599; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Slagent outgoing connection"; flow:to_server,established; content:"MCUninstall.php3"; fast_pattern:only; http_uri; content:"ComputerID"; nocase; http_uri; content:"Password"; nocase; http_uri; content:"User-Agent: HTTPRequest"; nocase; http_header; pcre:"/MCUninstall\x2ephp3\x3fComputerID\x3d.*?Password\x3d/smiU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/1d5c82d99e192d922365ee7d6736318c/detection; classtype:trojan-activity; sid:23598; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.DHD variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tellfriends/index.php"; http_uri; content:"DOCTYPE+HTML+PUBLIC+"; fast_pattern; http_client_body; content:"DTD+HTML+4.01+Transitional"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/0E1AFF259D8E97C1C03692F60FE5238F764040108F905F025EED9BD3519FEB91/analysis/; reference:url,www.virustotal.com/file/9320D247DD94F610F31037DF8EDA75FE79991F126D2E55D35A9532D09FF79896/analysis/; classtype:trojan-activity; sid:23597; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/uda"; http_uri; content:"name=|22|upload_file|22 3B|"; fast_pattern:only; content:"name=|22|user_id|22|"; http_client_body; content:"name=|22|version_id|22|"; http_client_body; content:"name=|22|sys|22|"; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/207bcf2e0fe4e3886499bd66922cfbd788329fec4de7ab5dd4601e6591d7d970/analysis/; reference:url,www.virustotal.com/file/ba9ac5931b86d08f125d61a334cf0c83233d86e374a18283c6355dda3efc11a4/analysis/; classtype:trojan-activity; sid:23595; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/ping"; http_uri; content:"user_id="; depth:8; http_client_body; content:"&version_id="; within:32; distance:1; http_client_body; content:"&socks="; within:32; distance:1; http_client_body; content:"&build="; within:16; distance:1; http_client_body; content:"&crc="; within:16; distance:1; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/207bcf2e0fe4e3886499bd66922cfbd788329fec4de7ab5dd4601e6591d7d970/analysis/; reference:url,www.virustotal.com/file/ba9ac5931b86d08f125d61a334cf0c83233d86e374a18283c6355dda3efc11a4/analysis/; classtype:trojan-activity; sid:23594; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/ura/index.php"; http_uri; content:"sAAA"; depth:4; offset:2; http_client_body; isdataat:!30,relative; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/BF48703259B0B6AF098F44C39AB1784CFCE6F5284004614952BC89C9CBFCB56B/analysis/; classtype:trojan-activity; sid:23593; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kugdifod.A variant outbound connection"; flow:to_server,established; content:"/400034"; http_uri; content:"34000000000000003400000000000000"; within:32; distance:32; http_uri; metadata:impact_flag red, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Inject-UY/detailed-analysis.aspx; classtype:trojan-activity; sid:23495; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Onitab.A outbound connection"; flow:to_server,established; content:"User-Agent: Google page"; fast_pattern:only; content:"/count.asp?MAC="; depth:19; nocase; content:"&DiskNum="; within:50; nocase; content:"&ProNum="; within:50; nocase; content:"&ComName="; within:50; nocase; content:"&tgid="; within:50; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/bc3a255ee75c695f89e29c6a83fbadda4811947c77c52add907b7410f09ca5d0/analysis/; classtype:trojan-activity; sid:23494; rev:8;)
alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:6;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kura variant outbound connection"; flow:to_server,established; content:"image.php"; http_uri; content:"E0a4"; depth:4; fast_pattern; http_client_body; isdataat:!96,relative; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/79DF162D64FD6DB3EEF62C0F442283C3950ABCB2E7FA33A6860EAA535855BF52/analysis/; classtype:trojan-activity; sid:23491; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4441 (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; content:"@inf@|7C 7C|"; depth:7; pcre:"/^(\d{1,3}\x2e){3}\d{1,3}\x7c\x7c/iR"; metadata:impact_flag red; reference:url,www.virustotal.com/file/36D93A954B95968F80996ACE489E96D795AFD5E9968E9140E54D70D2BCC4B80F/analysis/; classtype:trojan-activity; sid:23469; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; content:"/Applog.php"; nocase; http_uri; content:"a="; distance:0; http_uri; pcre:"/u=[0-9a-f]{32}/iU"; content:"User-Agent: Mozilla/4.0 khbae"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/2B2D03EE5F270C43164FCEAEB309D08D1D072C0F327AC12D75677428A63BCFC3/analysis/; classtype:trojan-activity; sid:23468; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Mazben file download"; flow:to_client,established; content:"Content-Type: image/gif"; http_header; file_data; content:"|36 50 7B F5 F9 22 C4 3C|"; depth:8; offset:1; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/4DA4DB7C7547859B48FCEE2D4E0827983161F3FA04FA87BBFDBA558F9F80F74F/analysis/; classtype:trojan-activity; sid:23467; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Win.Trojan.Belesak.A variant outbound connection"; flow:to_server,established; dsize:12; content:"|0C 00 00 00 40 01 73 00|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/file/c488a8aaef0df577efdf1b501611ec20/analysis/; classtype:trojan-activity; sid:23460; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.RedSip.A variant outbound connection"; flow:to_server,established; content:"|78 56 34 12 01 00 00 00 14 05 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/414148ab390728bdb18ebf2421b9a4f96b8690479f312bb0c9f3347c89438a85/analysis/; classtype:trojan-activity; sid:23451; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.McRat connect to server"; flow:to_client,established; content:"|FF FF FF FF 00 00 00 00 11 00 00|"; depth:87; offset:76; metadata:impact_flag red; reference:url,www.virustotal.com/file/1581c0555956f7f62c717e303b6f8785207f107fbb4e375c1e50788d9a4a2f07/analysis/; classtype:trojan-activity; sid:23450; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Servstart.ax variant outbound connection"; flow:to_server,established; content:"|00 00 01 00|"; depth:4; content:"Windows"; content:"|18 EE 90 7C 38 07 91 7C FF FF FF FF 32 07 91 7C AB 06 91 7C EB 06 91 7C 00 00 00 00 14 00 00 00 00 00 F6 76|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/file/e3e2a2f6f77c0ed644a67c422e6def2ad764c45761ea23a60f100b947d4d0442/analysis/; classtype:trojan-activity; sid:23449; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Psyokym variant outbound connection"; flow:to_server,established; content:"/extract.php"; http_uri; content:"/extract.php?"; http_uri; content:"&un="; distance:0; http_uri; content:"x=%20%20*****"; http_raw_uri; content:"User-Agent: VB OpenUrl|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/FDACCB39FC9C1AD57E89620804BF8BA81823E356AAFEE5BAE96B201ED638A48F/analysis/; classtype:trojan-activity; sid:23448; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sojax.A variant outbound connection"; flow:to_server,established; content:"/count/count.php?m="; fast_pattern:only; http_uri; pcre:"/\x26n\x3d[^\x26\x3d]{0,64}[0-9a-f]{12}/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/23F387FAC39DDE1740F0CCD5C098A41F/analysis/; classtype:trojan-activity; sid:23447; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sojax.A variant outbound connection"; flow:to_client,established; file_data; content:"/count/count.php"; fast_pattern:only; content:"ScriptFileDir"; content:"ExeFileDir"; within:20; content:"SeverUrl"; within:20; content:"Addinfo"; within:20; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/23F387FAC39DDE1740F0CCD5C098A41F/analysis/; classtype:trojan-activity; sid:23446; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Govdi.A variant outbound connection"; flow:to_server,established; content:".jpg"; http_uri; content:"|2E|DIAN|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/^User-Agent[^\n]*\x2eDIAN\x29/smiH"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/f6a180cc3b31693739089a9966dd1feb107bb49216f1e3ed11baab8e4f6b5226/analysis/; classtype:trojan-activity; sid:23399; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vbvoleur.a variant outbound connection"; flow:to_server,established; content:"User-Agent: default"; http_header; content:"uid|3D|"; http_client_body; content:"|26|subid|3D|"; http_client_body; content:"|26|torrent_count|3D|"; fast_pattern:only; http_client_body; content:"|26|video_count|3D|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/dd616615017e0d5a1a9b126e0294d3cfc026ea0aa76b76354536d24b3c327c47/analysis/; classtype:trojan-activity; sid:23394; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1001 (msg:"MALWARE-CNC Win.Trojan.Hioles.C variant outbound connection"; flow:to_server,established; content:"|85 B2 04 77 CE 38 E0 33|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/5cdbab3bf4cb3b64cb27d7c40370cb5788d5e0662eb33bc8f9f178818bcc6a1d/analysis/; classtype:trojan-activity; sid:23391; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Java.Arratomref variant outbound connection"; flow:to_server,established; content:"/b2Xf-M1PWn0rjaKgZ_i"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/1b980653e537d74d93d635c95bee5306/analysis/; classtype:trojan-activity; sid:23390; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Java.Arratomref variant outbound connection"; flow:to_server,established; content:"/b2mVXNOC5FPD-Ldti6MxG"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/059b871804394fa678232ce5ed3a46b7/analysis/; classtype:trojan-activity; sid:23389; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeMSN.I variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/msnhacker.php"; fast_pattern:only; http_uri; content:"senha="; nocase; http_client_body; content:"&login="; nocase; http_client_body; content:"&recebe="; nocase; http_client_body; content:"&envia="; nocase; http_client_body; content:"&assunto="; nocase; http_client_body; metadata:service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%253aWin32%252fFakemsn.I&ThreatID=-2147314109; classtype:trojan-activity; sid:23388; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/siri/modules/infect3/index.php"; fast_pattern:only; http_uri; content:"chave=xchave"; nocase; http_uri; content:"url="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/712E7F3561C1006A8787F2DE5C1AA997DFD95D0B9DF221C48E4407124C1E62EF/analysis/; classtype:trojan-activity; sid:23387; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chaori.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/contratoavi.php"; fast_pattern:only; http_uri; content:"de="; nocase; http_client_body; content:"praquem="; nocase; http_client_body; content:"titulo="; nocase; http_client_body; content:"texto="; nocase; http_client_body; content:"orkut2"; nocase; http_client_body; metadata:service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3aWin32%2fChaori.A; classtype:trojan-activity; sid:23383; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyEye variant outbound connection"; flow:to_server,established; content:"/dataSafer3er/"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"|8C 69 69 B2|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/09478bf4833505d3d7b66d4f30ccce6b9fde3ea51b9ccf6fdeadc008efba43d8/analysis/; classtype:trojan-activity; sid:23382; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Ventana initial variant outbound connection"; flow:to_server,established; content:"E134087E76C7B1C54F9A2F28C533C412"; depth:32; content:"#*"; distance:0; content:"####"; within:32; content:"#*"; within:32; metadata:impact_flag red; reference:url,www.virustotal.com/file/62b0bf8683c7d137b406b0c71f3ca4d6fc43f9085d90f081eee0b1058d4a2c3f/analysis/; classtype:trojan-activity; sid:23380; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Leepload variant outbound connection"; flow:to_client,established; content:"<head>Ji01LC4tIyZ4"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/466bb7da773c7c200f87a8a06f143c6c6856e9ebc4347eb4afb096104bcd97b4/analysis/; classtype:trojan-activity; sid:23379; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sasfis variant outbound connection"; flow:to_client,established; file_data; content:"xao9zv4sc4rzc15pprkb00rwe7o31"; fast_pattern:only; content:"rkb00rwe7o31"; content:"xao9zv4sc4rzc15pprkb"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/8ede3bd523b89ab4d4817f13182577f7/analysis/; classtype:trojan-activity; sid:23378; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Sasfis variant outbound connection"; flow:to_server,established; content:"HELO "; depth:5; content:"|0A|MAIL FROM|3A|"; distance:0; content:"|0A|RCPT TO|3A|"; distance:0; pcre:"/^HELO\s+x[a-z]{31}[^@].*?^MAIL\s+FROM\x3a x[a-z]{31}[^@].*?^RCPT TO\x3a\s*x[a-z]{31}[^@]/smi"; metadata:impact_flag red, service smtp; reference:url,www.virustotal.com/file/8ede3bd523b89ab4d4817f13182577f7/analysis/; classtype:trojan-activity; sid:23377; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC RunTime Win.Trojan.tchfro.A variant outbound connection"; flow:to_server,established; content:"|31 70 C3 A7 A8 04 00 00|"; depth:8; content:"uuuuuuuu"; distance:0; content:"|01|u=u|10|"; distance:0; metadata:impact_flag red; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fEtchfro.B; classtype:trojan-activity; sid:23345; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Harvso.A variant outbound connection"; flow:to_server,established; content:"form|2D|data|3B| name=|22|group_id|22 0D 0A 0D 0A|"; fast_pattern:only; http_client_body; content:"name=|22|password|22 0D 0A 0D 0A|"; nocase; http_client_body; content:"name=|22|debug|22 0D 0A 0D 0A|"; nocase; http_client_body; content:"name=|22|file|22 3B| filename="; nocase; http_client_body; content:"|0D 0A 0D 0A|PK"; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/01560abe19bee3de6a8712ae1b66b162ebd17cfea2bb99244cb74b1ce90d75bb/analysis/; classtype:trojan-activity; sid:23344; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"@0100"; depth:5; content:"%%EnD%%"; within:100; metadata:impact_flag red; reference:url,www.virustotal.com/file/3B1A4D749A4CF879144FDF8C6EB9C65AEEDAE52771F46914C2738542EAC1D842/analysis/; classtype:trojan-activity; sid:23343; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"media/system/js/wp-env.php"; fast_pattern:only; http_uri; content:"nomepc="; nocase; http_uri; content:"osName="; nocase; http_uri; content:"netCard="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/B25052ADA8C0B52DBA31993E8FB6DE3609C74D54B262EEC48AC440B4D678ABC7/analysis/; classtype:trojan-activity; sid:23342; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Nitol.B variant outbound connection"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|71 64 26 26 26 26 26 26 26 26|"; within:32; distance:384; reference:url,www.virustotal.com/#/file/911d8cd8bb19263ab609f5b4c9cc4174/detection; classtype:trojan-activity; sid:23340; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Prier.A variant outbound connection"; flow:to_server,established; content:"c=diary"; fast_pattern:only; http_uri; content:"a=getdataview"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/\/\?u=(testdown|test|lichao)\d*?&/iU"; metadata:service http; reference:url,securelist.com/en/descriptions/17251844/; classtype:trojan-activity; sid:23339; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bluenet.A variant outbound connection"; flow:to_server,established; content:"command.bot"; fast_pattern:only; http_uri; content:"User-Agent|3A| Win32 BlueNet"; nocase; http_header; metadata:service http; reference:url,www.malware-control.com/statics-pages/dd3f968c5d0b74cc1d64bb57e16740e6.php; classtype:trojan-activity; sid:23337; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linfo.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"name=|22|FILE1|22 3B|"; nocase; http_client_body; content:"filename=|22|0000"; nocase; http_client_body; content:"|5F|1in1.gif"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/2FFB7B9EA7259B9554437E21D919F3B8954D2D15E374CD7993C37D211BC34E35/analysis/; classtype:trojan-activity; sid:23336; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"?act=login&ver="; http_uri; content:"&born="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b162604f44fd37bf77b1c043a1b35d7bedde8ff907df4be9276a6d77f36d6242/analysis/; classtype:trojan-activity; sid:23335; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2011 (msg:"MALWARE-CNC Win.Trojan.Downloader initial C&C checkin"; flow:to_server,established; content:"|1A 27 00 00|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/aaba9f42a76ca25d016d758fbd1dae860df1915eda52f8b8c659243b62110827/analysis/; classtype:trojan-activity; sid:23334; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker initial C&C checkin"; flow:to_server,established; content:"/weblogs/recv.php"; fast_pattern:only; http_uri; content:"POST"; nocase; http_method; content:"|1C 29 ED F3 87 AE|"; depth:6; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/fa09536ae65f8d9462bb89f96697470c68f88a1f60ebc76d31bd42a30b5ad299/analysis/; classtype:trojan-activity; sid:23333; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dishigy variant outbound connection"; flow:established, to_server; content:"POST"; nocase; http_method; content:"/bot/diwar.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:23332; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mybot variant outbound connection"; flow:to_server,established; content:"gerudi/update.txt"; fast_pattern:only; http_uri; content:"host="; nocase; http_uri; content:"state="; nocase; http_uri; content:"User-Agent|3A| Wget/1.11.4"; nocase; http_header; metadata:impact_flag red, service http; classtype:trojan-activity; sid:23331; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3315 (msg:"MALWARE-CNC Win.Trojan.Dropper initial variant outbound connection"; flow:to_server,established; content:"|B7 E2 01 00 01 00 00|"; depth:7; metadata:impact_flag red; reference:url,www.virustotal.com/file/ec8b3eeb57fe5998dd211f5bdd4ae9b27bf554b072a52332cfd61e32fd85ee26/analysis/; classtype:trojan-activity; sid:23317; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Bucriv variant outbound connection"; flow:to_server,established; content:"8FC2C6C0C4"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a\s*[0-9a-f]*8FC2C6C0C4\x7c\d+\x7cAK-/iH"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/7c9a466a041ac04de137cd9938e849546dee8e7819421b25c1c6f853a44845c3/analysis/; classtype:trojan-activity; sid:23308; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper connect to server"; flow:to_server,established; content:"gate.php"; fast_pattern:only; http_uri; content:"{"; depth:1; http_client_body; content:"-"; within:1; distance:8; http_client_body; content:"-"; within:1; distance:4; http_client_body; content:"-"; within:1; distance:4; http_client_body; content:"-"; within:1; distance:4; http_client_body; content:"}|15 00 00 00 00|"; within:6; distance:12; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/C021D80C29933C2EF636B765206C83AAFF36CA307F777F09CC26FE864B204ACE/analysis/; classtype:trojan-activity; sid:23307; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stealer connect to server"; flow:to_server,established; content:"stealer.php"; nocase; http_uri; content:"SteamAppData.vdf"; fast_pattern:only; http_client_body; content:"content-disposition: form-data|3B| name=|22|fname|22|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/B529F61EB4DD03458C5A8509B77FAC2A35CBD7B4FD78DFB0AC641CA98093D1A5/analysis/; classtype:trojan-activity; sid:23306; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"|DE AD BE EF|"; depth:4; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=19d0af98ba20411191ba51a0144485cc; classtype:trojan-activity; sid:23262; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control traffic - Pushbot"; flow:to_server,established; content:"User-Agent|3A| cvc_v105"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:23261; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Duojeen variant outbound connection"; flow:to_server,established; content:"|61 61 61 00 00 00 00 01 01 00 00|"; fast_pattern:only; http_client_body; pcre:"/^.{8}\x66[0-9a-f]{1}\x2d([0-9a-f]{2}\x2d){4}[0-9a-f]{2}\x61\x61\x61\x00{4}\x01{2}\x00{2}/Pi"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/431e82e578a1a7212e94d6451bc3cc7b9a144ef5d2816913ff207909a251fb84/analysis/; reference:url,www.virustotal.com/file/8b327104e76cfda3583e9cf7416eea322e25ebdb5ef76ff99d2a6693557c4a9a/analysis/; classtype:trojan-activity; sid:23257; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Duojeen variant outbound connection"; flow:to_client,established; file_data; content:"|25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78 2D 25 30 32 78|"; fast_pattern:only; content:"|53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C|"; content:"|49 6E 74 65 72 6E 65 74 20 41 63 63 6F 75 6E 74 20 4D 61 6E|"; within:20; content:"|61 67 65 72 5C 41 63 63 6F 75 6E 74 73|"; within:13; content:"|7D 4E 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35|"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/431e82e578a1a7212e94d6451bc3cc7b9a144ef5d2816913ff207909a251fb84/analysis/; reference:url,www.virustotal.com/file/8b327104e76cfda3583e9cf7416eea322e25ebdb5ef76ff99d2a6693557c4a9a/analysis/; classtype:trojan-activity; sid:23255; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf.CL variant outbound connection"; flow:to_server,established; content:"/support3/script.php"; fast_pattern:only; http_uri; pcre:"/hwinfo=\x7b[a-f0-9]{8}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{4}\x2d[a-f0-9]{12}\x7d/smiU"; content:"name=|22|pwdata|22|"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/4195B3B362342BFA48916C2E9F04C76E0A3B65456D2CAC384128C298E5A7A009/analysis/; classtype:trojan-activity; sid:23254; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacOS.MacKontrol variant outbound connection"; flow:to_server,established; dsize:1040; content:!"|0D 0A|Host|3A|"; nocase; content:"|00 00 00 00 00 00 00 00|"; depth:32; offset:128; content:"-mac"; content:"|00 00 00 00 00 00 00 00|"; within:64; distance:80; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/b42dc4c261220df991da8c91cc20a857c6baf902d2af62a092fb8937c81ef04a/analysis/; classtype:trojan-activity; sid:23252; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spyeye variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Length|3A 20|13|0D 0A|"; fast_pattern:only; http_header; content:"|F8 22 A7 24|"; http_client_body; pcre:"/\/index.php$/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/ed09eee5ff1de74f7af7d9666a321726e745ef12c5766753b75c20c00ed6dd9b/analysis/; classtype:trojan-activity; sid:23251; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"asp?device_t="; http_uri; content:"&key="; distance:0; http_uri; content:"&device_id="; distance:0; http_uri; content:"&cv="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/B96DFE55BEF7B1CC30430A1E3F5AE826EE02DDF63582539215E4F634FA6508B9/analysis/; classtype:trojan-activity; sid:23245; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; content:"/index.php?r=gate&"; nocase; http_uri; content:"&group="; distance:0; nocase; http_uri; content:"&debug="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,spamalysis.wordpress.com/2012/04/27/contact-to-the-nearest-post-office/; reference:url,www.virustotal.com/file/1d4e30379346cc784cb29620fbc459d117a0e5221dbbb8ec0873d06a67d57b20/analysis/; reference:url,www.virustotal.com/file/6f87ceaeed3474c0747c5a7da0531459813b4a6fc71d16599917bafbf3386c38/analysis/; reference:url,www.virustotal.com/file/bc26fab87bb48d9e911e0a4557b2a6a1b984e09490baab51aa72ad7576b625af/analysis/; reference:url,www.virustotal.com/file/c398224e76d2c3234765eafd2336d1c9e5f91f3f2abdbfe69f9148d5798a4655/analysis/; classtype:trojan-activity; sid:23244; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.boxg connect to cnc server"; flow:to_server,established; content:"/msn/xbox/info.php"; nocase; http_uri; content:"login=cpf"; depth:9; nocase; http_client_body; content:"&senha"; within:6; distance:30; nocase; http_client_body; content:"Codigo"; nocase; http_client_body; content:"Compara"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/415401612cc2261081b8541763d29ccb9ab57bb12f7b35974c33f2352071656e/analysis/; classtype:trojan-activity; sid:23242; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PBin.A runtime traffic detected"; flow:to_server,established; content:"api_public.php"; nocase; http_uri; content:"paste_name=0101&paste_expire_date=10M&paste_code="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f2cc761eb7893378d76b2a44e645aee7/detection; classtype:trojan-activity; sid:23235; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 888 (msg:"MALWARE-CNC Frethog.MK runtime traffic detected"; flow:to_server,established; content:"/adx/wow.asp?WOWID="; nocase; content:"&Area="; distance:0; nocase; content:"&WU="; distance:0; nocase; content:"&WP="; distance:0; nocase; content:"&MAX="; distance:0; nocase; content:"&GOLD="; distance:0; nocase; content:"&Serv="; distance:0; nocase; content:"&rn="; distance:0; nocase; content:"&key="; distance:0; nocase; pcre:"/adx\x2fwow\x2easp\x3fWOWID\x3d[^\x26\x0d]*?\x26Area\x3d[^\x26\x0d]*?\x26WU\x3d[^\x26\x0d]*?\x26WP\x3d[^\x26\x0d]*?\x26MAX\x3d[^\x26\x0d]*?\x26GOLD\x3d[^\x26\x0d]*?\x26Serv\x3d[^\x26\x0d]*?\x26rn\x3d[^\x26\x0d]*?\x26key\x3d/smi"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c53521f02d88c90b025db7184296c8fd/detection; classtype:trojan-activity; sid:23234; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg:"MALWARE-CNC Win.Trojan.Waprox.A variant outbound connection"; flow:to_server,established; flowbits:isset,waprox.init; content:"|0A 0A|"; depth:2; offset:16; isdataat:!1,relative; metadata:impact_flag red; reference:url,www.virustotal.com/file/8a6d632930fdd3bdb04714654d60dc48b9594387d574054f99708152b3ee16e0/analysis/; classtype:trojan-activity; sid:23215; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2222 (msg:"MALWARE-CNC Win.Trojan.Waprox.A variant outbound connection"; flow:to_server,established; content:"C"; depth:1; isdataat:!1,relative; flowbits:set,waprox.init; flowbits:noalert; metadata:impact_flag red; reference:url,www.virustotal.com/file/8a6d632930fdd3bdb04714654d60dc48b9594387d574054f99708152b3ee16e0/analysis/; classtype:trojan-activity; sid:23214; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Donbot.A runtime traffic detected"; flow:to_server,established; content:"Hash|3A|"; depth:5; pcre:"/Hash\x3a\s+?[0-9A-F]{32}\r\n/i"; metadata:impact_flag red, service ircd; reference:url,www.virustotal.com/#/file/8c99829a0d5eba4f11bd6d04f5e742b6/detection; classtype:trojan-activity; sid:23176; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Lolbot variant outbound connection"; flow:to_server,established; content:"USER griptoloji"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23109; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:"/ddos?uid="; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6317bf0843703c2356243b58a961b82ba2ffbbcb1d744402c17c94c139d3ea5b/analysis/; classtype:trojan-activity; sid:23104; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bublik variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/was/u.php"; fast_pattern:only; http_uri; content:"Content-Length|3A 20|328"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/B600D0A5FC596CEEDD377890C93FE4B50F8093F2CE874EF39956E497CC63E544/analysis/; classtype:trojan-activity; sid:23103; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Flame malware connection - /view.php"; flow:to_server,established; content:"/view.php?mp=1&"; nocase; http_uri; content:"&pr=1&ec=0&ov="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,certcc.ir/index.php?name=news&file=article&sid=1894; reference:url,www.crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:23057; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dybalom.A runtime traffic detected"; flow:to_server,established; content:"index.php"; nocase; http_uri; content:"action=add&a="; distance:0; nocase; http_uri; content:"&u="; distance:0; nocase; http_uri; content:"&l="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&c="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/2443DF5B14E4EF621EBCA6D4F09C28E8/detection; classtype:trojan-activity; sid:23051; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"%96%"; http_raw_uri; content:"HTTP/1.1|0D 0A|Host|3A 20|report|2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3f331327fc4c08d772ddac1aa22fdf081e18166b1c40c32930cf1137be8525bf/analysis/; reference:url,www.virustotal.com/file/74328d37925a26f5427b31d0ceb0efef1d57d2392049ddbfb9fa25705be4a96e/analysis/; classtype:trojan-activity; sid:22937; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Coswid.klk variant outbound connection"; flow:to_server,established; content:"/update.png"; nocase; http_uri; content:"User-Agent|3A| "; nocase; http_header; content:"+Mozilla/4.0"; within:30; nocase; http_header; content:"MSIE 8.0|3B| Win32"; within:30; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/28414CF6120E4EF72E3F4669A0824465405C2FD757B3502BDCD319C9D69AF3BF/analysis/; classtype:trojan-activity; sid:22103; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Midhos variant outbound connection"; flow:to_server,established; content:"/file/id=AQA"; http_uri; content:"AAEA"; within:4; distance:1; http_uri; content:"rLhtgiZvmW8"; distance:0; http_uri; content:"&rt="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1671d64f146e97b3ce2a58514f99f91b83214af6f1c679b27f98aa277d909dbd/analysis/; classtype:trojan-activity; sid:22100; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Piroxcc variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/sedo.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/349C1AAD74E43C9814CB895B3001FAD5106FBE6450D30B727E9BB7070FDA0D7B/analysis/; classtype:trojan-activity; sid:22099; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeprox variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"php?a=n"; http_uri; content:"e>"; within:2; distance:1; nocase; http_uri; content:"my<"; distance:0; http_uri; content:"HTTP/1.0"; metadata:service http; reference:url,www.virustotal.com/file/44d6a6d47c8f02e6c64d71d8e81d985919e60a9f0f44a62167ea17059c3f3b3a/analysis/; classtype:trojan-activity; sid:22065; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Winpawr variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/ver.asp?usd="; http_uri; content:"&pwd="; distance:0; http_uri; content:"&host="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/file/4fd1db1213c60c72a7f7608334714f9f92f011067d1a0d2b90a2b54c54735754/analysis/; classtype:trojan-activity; sid:22062; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fepgul variant outbound connection"; flow:to_server,established; content:"/SkypeClient.exe"; http_uri; content:"skype.tom.com"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CCCE38CDBE10DCEE205334E58C218B3816787EF80F86A1BA95E0BD719165EFF9/analysis/; classtype:trojan-activity; sid:22060; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"/service.php?kind="; http_uri; content:"pid="; distance:0; http_uri; content:"prog="; distance:0; http_uri; content:"addresses="; distance:0; http_uri; content:"progkind="; distance:0; http_uri; content:"wv="; distance:0; http_uri; content:"ee="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/734CF749D5B31EF5AB97374E02B528E0072D86ACD143E69762A9141B08E4D069/analysis/; classtype:trojan-activity; sid:22059; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_get_host.php?ver="; http_uri; content:"HTTP/1.0"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5f281de6faf1793f622f049f2359e09fd4fbd744f43e3fd0fdb0cbcc812fa3af/analysis/; classtype:trojan-activity; sid:22058; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?type="; http_uri; content:"&system="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&status="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/file/0e5519fd93932ed1e6712800e4c6a617d476bd2e5744945860cfedeff9fa0219/analysis/; classtype:trojan-activity; sid:22056; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Prorat variant outbound connection"; flow:to_server,established; content:"/mo3tazjordan/server.exe"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3CDE092BD99DF7AAD5A44697E199AF3A90C60DCD15CDA589E5BE75CA1D48B25E/analysis/; classtype:trojan-activity; sid:22054; rev:4;)
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Insomnia variant inbound connection - post infection"; flow:to_client,established; content:"Asdf1|17|0"; depth:500; content:"irc.bhfirc.net"; within:50; metadata:service ssl; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/file/75BB4A56FFA8306209592C31238732064AB61CBD8F3B5F69C054D3407660389A/analysis/; classtype:trojan-activity; sid:22053; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zeus P2P outbound connection"; flow:to_server,established; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; within:7; distance:5; metadata:policy balanced-ips alert, policy security-ips drop; reference:url,www.virustotal.com/en/file/771571422FD4D88A439773D18951B5D83FD1E927CF2970EFD5CCAC97DBB3AC50/analysis/; classtype:trojan-activity; sid:22048; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Jokbot variant outbound connection"; flow:to_server,established; content:"USER botnet"; depth:11; metadata:policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/file/5BE202BC1BF54ABFB698E4287428932C0E8219FF0822D92801798996418F0509/analysis/; classtype:trojan-activity; sid:22047; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX Flashback malware variant outbound connection"; flow:to_server,established; content:"/auupdate/"; fast_pattern; http_uri; content:"User-Agent|3A|"; http_header; base64_decode:relative; base64_data; content:"|7C|x86_64|7C|10."; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; classtype:trojan-activity; sid:22034; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX Flashback malware variant outbound connection"; flow:to_server,established; content:"/auupdate/"; fast_pattern; http_uri; content:"User-Agent|3A|"; http_header; base64_decode:relative; base64_data; content:"|7C|i386|7C|10."; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; classtype:trojan-activity; sid:22033; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.amna variant outbound connection"; flow:to_server,established; content:"daten=Username"; nocase; http_uri; content:"daten2=Password"; nocase; http_uri; content:"daten3=Games Needed (Here)"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/a386d2bcdf05197eff1b23b0059bea066134f19d9aaff9a1b512a037a466a9bc/analysis/; classtype:trojan-activity; sid:22001; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.amna variant outbound connection"; flow:to_server,established; content:"/top/"; http_uri; content:"User-Agent: Moxilla"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/a386d2bcdf05197eff1b23b0059bea066134f19d9aaff9a1b512a037a466a9bc/analysis/; classtype:trojan-activity; sid:22000; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/inf/pg01.php"; nocase; http_uri; content:"name1|3D|"; nocase; http_client_body; content:"|26|name2|3D|"; nocase; http_client_body; content:"|26|name3|3D|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/45ff0c903331fa909cf95023fa58cbd836c7376bde83bf51feedf53849300e93/analysis/; classtype:trojan-activity; sid:21998; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/arq.php"; nocase; content:"nome|3D|versao"; nocase; http_client_body; content:"dados|3D 25|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/62598822d90e85251f587783ccffd56a7369c18e90d918cf726b220549ee53e5/analysis/; classtype:trojan-activity; sid:21997; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; flowbits:isset,dorkbot.ircinit; content:"PRIVMSG"; depth:7; nocase; pcre:"/\x3a[^\x3a]+\x3a.(dl|die|rm|stats|logins|msn\.(set|int)|http\.(set|int|inj)|mdns|up|udp|ssyn|slow|(ff|ie|ftp)grab)/is"; reference:url,www.virustotal.com/en/file/f2f35f6f71ff6d7a4166d2821fc5d83eb3494a13c0874e9056a5bff924e6ae4b/analysis/; classtype:trojan-activity; sid:21996; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:"hcaimud|0D 0A|"; flowbits:set,dorkbot.ircinit; reference:url,www.virustotal.com/file-scan/report.html?id=f2f35f6f71ff6d7a4166d2821fc5d83eb3494a 13c0874e9056a5bff924e6ae4b-1319906395; classtype:trojan-activity; sid:21995; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BamCompiled variant inbound updates"; flow:to_client,established; file_data; content:"<zombis>"; nocase; content:"<JUNIPER-M3>"; within:100; nocase; content:"</JUNIPER-M3>"; distance:0; nocase; content:"</zombis>"; within:100; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21984; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BamCompiled variant outbound connection"; flow:to_server,established; content:"/Admin/FunctionsClient/"; fast_pattern:only; http_uri; pcre:"/\x2fAdmin\x2fFunctionsClient\x2f(check.txt|Select.php|Update.php)/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/7cc3fa3197a5efd486d64483855cb55801e32ecd1e51a9b5e4cdf64f454874dc/analysis/; classtype:trojan-activity; sid:21983; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Insain variant outbound connection"; flow:to_server,established; content:".php"; nocase; http_uri; content:"&000117&"; within:15; fast_pattern; http_uri; content:"&0000"; within:20; distance:32; http_uri; content:!"User-Agent"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/99305d34ad7a4e62bf1bfe397c2b3e32/detection; classtype:trojan-activity; sid:21982; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Selvice variant outbound connection"; flow:to_server,established; content:"/news/image.jpg"; nocase; http_uri; content:!"User-Agent"; http_header; metadata:service http; reference:url,www.virustotal.com/file/7d232ae8e57079de3c980795f6c3f23d9056cc740dc91f378323e269d9eda6cb/analysis/; classtype:trojan-activity; sid:21981; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Winac variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/bot_reg.php"; nocase; http_uri; content:!"|0A|User-Agent"; nocase; http_header; metadata:service http; classtype:trojan-activity; sid:21980; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Lapurd.D variant outbound connection"; flow:to_server,established; content:"/indux.php"; fast_pattern:only; http_uri; pcre:"/indux.php.*?U=\d+@\d+@\d+@/iU"; metadata:service http; reference:url,www.virustotal.com/#/file/ead062fb0aca0e3d0e8c12c4cf095765/detection; classtype:trojan-activity; sid:21976; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Worm.Expichu variant inbound connection"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"SysLive.exez"; depth:12; offset:30; content:"|51 4E 31 4E 8F BF 42 B3 14 8E 38 BD 49 8A D3 C2|"; within:1344; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/9f8078fedc8a496524ce1b0adfd33293/detection; classtype:trojan-activity; sid:21975; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Worm.Expichu variant inbound connection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"4e80fw7f87we0f87we0f0wefyouf"; fast_pattern:only; content:"fuckyo"; content:"loveq"; distance:0; content:"loveq"; within:5; distance:1; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/9f8078fedc8a496524ce1b0adfd33293/detection; classtype:trojan-activity; sid:21974; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3129 (msg:"MALWARE-CNC Win.Trojan.Pasmu connect to server"; flow:to_server,established; content:"POST"; content:"|2F|put_accs.dll"; nocase; content:"Content-Type"; nocase; content:"multipart|2F|form-data|3B|"; distance:0; nocase; content:"boundary=------"; distance:0; nocase; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=3d9c6e233f5866503b7c536e1d3a6d7ce1185afaaba77d4b23e054299a2b4c58; classtype:trojan-activity; sid:21966; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Murcy protocol connection to server"; flow:to_server,established; content:"Extra-Data-Bind"; nocase; http_header; content:"Extra-Data-Space"; nocase; http_header; content:"Extra-Data"; nocase; http_header; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21964; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC X-Shell 601 communication protocol connection to server"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|43 36 30 31|"; depth:4; offset:16; fast_pattern; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21963; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BB communication protocol connection to server"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; offset:4; content:"|01 04 01 00 00|"; within:5; distance:8; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21962; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC IP2B communication protocol connection to server"; flow:to_server,established; content:"|12 34 56 78 10 00 10 00|"; depth:8; content:"|00 18 09 07 20|"; within:5; distance:4; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21961; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC LURK communication protocol connection to server"; flow:to_server,established; content:"|4C 55 52 4B 30|"; depth:5; content:"|78 9C|"; within:2; distance:8; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21960; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,12345] (msg:"MALWARE-CNC UPDATE communication protocol connection to server"; flow:to_server,established; content:"X|2D|Session|3A|"; nocase; http_header; content:"X|2D|Status|3A|"; nocase; http_header; content:"X|2D|Size|3A|"; nocase; http_header; content:"X|2D|Sn|3A|"; nocase; http_header; content:"User|2D|Agent|3A| Mozilla|2F|4|2E|0 |28|compatible|3B| MSIE 6|2E|0|3B| Windows NT 5|2E|1|3B|SV1|3B|"; nocase; http_header; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21959; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC QDIGIT protocol connection to server"; flow:to_server,established; content:"|51 31 39 21 00|"; depth:5; metadata:service http; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:21958; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.VicSpy.A variant outbound connection"; flow:to_server,established; content:"VicSpy Keylogger"; depth:16; fast_pattern; nocase; content:"|0A|Ver|3A| "; within:50; nocase; content:"|0A|Prm|3A| "; within:50; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/#/file/2bbef26772b939011dee38b4e0693e47/detection; classtype:trojan-activity; sid:21947; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] (msg:"MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection"; flow:to_server,established; content:"|96 F4 F6 F6|"; depth:64; isdataat:128,relative; content:"|FE F6 F0 F6|"; within:384; distance:128; content:"|F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21946; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1024:] (msg:"MALWARE-CNC Win.Trojan.Litmpuca.A variant outbound connection"; flow:to_server,established; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:!"<head>"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/5513b45a4856f7941d71cf0885380469fdc22ece101d0399baabc9bd8b5536be/analysis/; classtype:trojan-activity; sid:21945; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Aldi bot variant outbound connection user-agent"; flow:to_server,established; content:"Aldi Bot FTW! :D"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21912; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Aldi variant outbound connection C&C checkin"; flow:to_server,established; content:"gate.php?hwid="; http_uri; content:"pc="; distance:0; http_uri; content:"localip="; distance:0; http_uri; content:"winver="; distance:0; http_uri; pcre:"/hwid=[^\x0a\x26]+?\x26pc=[^\x0a\x26]+?\x26localip=[^\x0a\x26]+?\x26winver=/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2011/10/ddos-aldi-bot/; classtype:trojan-activity; sid:21911; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX Flashback malware user-agent"; flow:to_server,established; content:"Windows NT 6.1|3B| WOW64|3B| rv:9.0.1|3B| sv:2|3B| id:"; http_header; pcre:"/[1-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,contagiodump.blogspot.com/2012/04/i-have-been-tracking-infections-too-and.html; classtype:trojan-activity; sid:21910; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Sabpub variant outbound connection"; flow:to_server,established; content:"/update.aspx"; http_uri; content:"Accept-Encoding|3A 20|base64,gzip"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:21877; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Orsam variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/ping.php"; http_uri; content:"WinHttp.WinHttpRequest"; http_header; pcre:"/User-Agent\x3a\x20[^\n]*?WinHttp\x2eWinHttpRequest.*?\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/792636c6d2114a93afb95dccc05fd2820fa236fc5d3d9d1f5a3db6ba80353087/analysis/; classtype:trojan-activity; sid:21852; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"MALWARE-CNC Win.Trojan.LogonInvader.a variant outbound connection"; flow:to_server,established; content:"|FF|OnConnec|FE|t|7C 03|123|00|"; depth:17; offset:4; nocase; reference:url,virustotal.com/file/8c89761be3f0141ff5024d3b2a466700f42025b9d7754aed850f1961ccb0a005/analysis/; classtype:trojan-activity; sid:21769; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"/download.html"; nocase; http_uri; content:"User-Agent|3A 20|wmagents.exe"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f9775d5fc61ec53a7cab4b432ec2d227/detection; classtype:trojan-activity; sid:21761; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0A|User-Agent|3A 20|tiehttp"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A 20|"; nocase; http_client_body; content:"form-data|3B| name=|22|filename|22|"; distance:0; nocase; http_client_body; content:"|0D 0A 0D 0A|"; within:4; http_client_body; pcre:"/^\d{0,10}_passes_\d{1,10}\.xm/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f9775d5fc61ec53a7cab4b432ec2d227/detection; classtype:trojan-activity; sid:21760; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; content:"/stat_d/"; fast_pattern:only; http_uri; pcre:"/\/stat_d\/$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21758; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; content:"/stat_svc/"; fast_pattern:only; http_uri; pcre:"/\/stat_svc\/$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21757; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; content:"/stat_n/"; fast_pattern:only; http_uri; pcre:"/\/stat_n\/$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21756; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Flashback variant outbound connection"; flow:to_server,established; content:"/stat_u/"; fast_pattern:only; http_uri; pcre:"/\/stat_u\/$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,www.virustotal.com/file/8ff99e6fc29349d5550ee3c721c180d938de2642c5a3c318cf4ccf5839ba214d/analysis/; classtype:trojan-activity; sid:21755; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bbc/null.php"; fast_pattern:only; http_uri; content:"HTTP/1.0"; metadata:service http; reference:url,www.virustotal.com/file/7c13fab6f6ef3ed8677ef4a12520b28ef0712948095ef2dc2ae754bdec7b3a15/analysis/; classtype:trojan-activity; sid:21643; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Aluereon TDSS infection variant outbound connection"; flow:to_server,established; content:".php?i="; fast_pattern; http_uri; content:"&a="; distance:0; http_uri; content:"&f="; distance:0; http_uri; content:"&x64="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1cc3d8345af514e2ea0fb3a2abdd82c8c5567e5ddd934d5eb458cca3acea4b09/analysis/1332706994/; classtype:trojan-activity; sid:21638; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Phdet.gen.A variant outbound connection"; flow:to_server,established; content:"/stat.php"; nocase; http_uri; content:"id="; nocase; http_client_body; content:"build_id="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/434019d76729957921ac581c42cb8564179eecdd7699c790056f53a4c93092d6/analysis/; classtype:trojan-activity; sid:21635; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom variant outbound connection"; flow:to_server,established; content:"Referer|3A| res|3A 2F 2F|"; http_header; content:"|3A 5C|"; within:3; distance:1; http_header; content:"|2E|exe|2F|main|0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2ed70f0d0fed4fba04d576bc2a9a13541a95f4ecb5bdead07ca30d7b40a70d84/analysis/; classtype:trojan-activity; sid:21632; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sinowal javascript delivery method"; flow:to_client,established; file_data; content:"(function(){function "; content:"window.navigator.userAgent.indexOf(|22|Windows NT 6.|22|"; distance:0; content:"else setTimeout("; distance:0; content:",10)}"; distance:0; content:"()})()|3B|"; distance:0; pcre:"/\x28function\x28\x29\x7bfunction\x20([a-zA-Z0-9]+).*?else\x20setTimeout\x28\1\x2c10\x29\x7d\1\x28\x29/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,wepawet.cs.ucsb.edu/view.php?hash=03c2bae0e0a779cda0f3a2c8679a46ef&type=js; classtype:trojan-activity; sid:21631; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Georbot variant outbound connection"; flow:to_server,established; content:".php?ver="; http_uri; content:"&cam="; distance:0; http_uri; content:"&p=bot123"; distance:1; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.eset.com/wp-content/media_files/ESET_win32georbot_analysis_final.pdf; classtype:trojan-activity; sid:21622; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Refroso.azyg variant outbound connection"; flow:to_server,established; content:"Nome do Computador"; fast_pattern:only; http_client_body; content:"MAC do cpmputador"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/d5d1cd87510a395fa4cbe87652d39f9f16871699d8c69ccd0455348ec106a171/analysis/; classtype:trojan-activity; sid:21610; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; content:"php?net=gnutella2&get=1&client=RAZA2."; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Shareaza"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/77c5acc4209778042fe21829a6728815249026d459e7622cf62b113b2f76d553/analysis/; classtype:misc-activity; sid:21593; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kelihos variant outbound connection"; flow:to_server,established; content:"/wsouth1.exe"; http_uri; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/file/bdec740dcbda605694bfa2bc9f463bec4e401f331d1452a5437222cf53b9d5d0/analysis/; classtype:trojan-activity; sid:21565; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kelihos variant outbound connection"; flow:to_server,established; content:"/jucheck.exe"; http_uri; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/#/file/B49BCE1778F76F7D59909790B93CBB86/detection; classtype:trojan-activity; sid:21564; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kelihos variant outbound connection"; flow:to_server,established; content:"/rtce0"; http_uri; content:".exe"; distance:0; http_uri; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.abuse.ch/?p=3658; reference:url,www.virustotal.com/#/file/B49BCE1778F76F7D59909790B93CBB86/detection; classtype:trojan-activity; sid:21563; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Waledac.exe download"; flow:to_server,established; content:"plsec"; fast_pattern:only; http_uri; pcre:"/plsec\x5f[0-9a-zA-Z]+\x2eexe/iU"; content:!"User-Agent"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=dbeeb667f5916f662045eb13db1bd68ffc3a544e108398b939248b73d0c0346f; classtype:trojan-activity; sid:21554; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.cpze connect to server"; flow:to_server,established; content:"Host|3A| checkin.ignorelist.com"; fast_pattern:only; http_header; content:"user="; nocase; http_uri; content:"cmd="; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=cd84c401570a92d513c1537ad33e435ace8335f4faff4dabb9917fdb3f1e81b8; classtype:trojan-activity; sid:21553; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kahn variant outbound connection"; flow:to_server,established; content:"/panda/?u="; http_uri; pcre:"/\x2fpanda\x2f\x3fu\x3d[a-z0-9]{32}/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21552; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kahn variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length|3A 20|1000002"; http_header; content:"z="; depth:2; http_client_body; pcre:"/\/$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2012/03/kahn/; reference:url,www.virustotal.com/file/3e37577f8bd7d4d248d414ec65b1c339e491d0d7c096c92e602c639faec7626f/analysis/; classtype:trojan-activity; sid:21551; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Cutwail landing page connection"; flow:to_client,established; file_data; content:"<h1>WAIT PLEASE</h1>|0D 0A 20|<h3>Loading...</h3>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Cutwail_botnet; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2FCutwail; classtype:trojan-activity; sid:21548; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"/getcmd.php?id="; http_uri; content:"&traff="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/c31f47dddc4d15dacecb47408248b4f12e2ad5c829299d7223eb36f7ecbc6db3/analysis/; classtype:trojan-activity; sid:21547; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Possible host infection - excessive DNS queries for .cn"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|02|cn|00|"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; metadata:service dns; classtype:trojan-activity; sid:21546; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Possible host infection - excessive DNS queries for .ru"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; metadata:service dns; classtype:trojan-activity; sid:21545; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Possible host infection - excessive DNS queries for .eu"; flow:to_server,no_stream; byte_test:1,!&,0xF8,2; content:"|02|eu|00|"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; metadata:service dns; classtype:trojan-activity; sid:21544; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus html page download"; flow:to_server,established; content:"|2F|se.php?"; nocase; http_uri; content:"aid"; nocase; http_uri; content:"sid"; nocase; http_uri; content:"key=money"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=f18a061699b0a7f7c1fad20feced9c2ca3b8b397c4d0585e03bb09d2cca6f00e; classtype:trojan-activity; sid:21543; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus firefox extension download"; flow:to_server,established; content:"|2F|request.php?"; nocase; http_uri; content:"aid=blackout"; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=f18a061699b0a7f7c1fad20feced9c2ca3b8b397c4d0585e03bb09d2cca6f00e; classtype:trojan-activity; sid:21542; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus connect to server"; flow:to_server,established; content:"|2F|inst.php?"; nocase; http_uri; content:"aid=blackout"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=f18a061699b0a7f7c1fad20feced9c2ca3b8b397c4d0585e03bb09d2cca6f00e; classtype:trojan-activity; sid:21541; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus application download"; flow:to_server,established; content:"|2F|update.php?"; nocase; http_uri; content:"aid=blackout"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=f18a061699b0a7f7c1fad20feced9c2ca3b8b397c4d0585e03bb09d2cca6f00e; classtype:trojan-activity; sid:21540; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dofoil variant outbound payload request"; flow:to_server,established; content:".exe"; http_uri; content:"HTTP/1.0"; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A|"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21538; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader keep-alive connection detection"; flow:to_server,established; content:"p=BotPoke"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/afe0c804e4cd1ccaa978702129b769a6/detection; classtype:trojan-activity; sid:21528; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader registration connection detection"; flow:to_server,established; content:"BotRegister"; fast_pattern:only; http_uri; content:"botmajor="; nocase; http_uri; content:"botminor="; nocase; http_uri; content:"osmajor="; nocase; http_uri; content:"osminor="; nocase; http_uri; content:"botcountry="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/afe0c804e4cd1ccaa978702129b769a6/detection; classtype:trojan-activity; sid:21527; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"/UpdateInfo2.xml"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3303912ce4dd35cb0fefe2d6fbc75a887c2734d42e5edd622609a2c8bedd0dae/analysis/; classtype:trojan-activity; sid:21525; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 34354 (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"H="; depth:2; offset:18; reference:url,www.virustotal.com/file/c0a6b40809556199f0e746bf37e7ab29b97c4a90eb84d85360a1caf065c190ca/analysis/; classtype:trojan-activity; sid:21523; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bayrob update connection"; flow:to_server,established; content:"/insert/index?"; fast_pattern:only; http_uri; pcre:"/id=\d+&count=\d+_\d+&TType=\d+&Enc=\d+&Hst=/P"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/2f1e943405e5b6fa1c76541470fe1ace/detection; classtype:trojan-activity; sid:21521; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; content:"/insert/index/id"; fast_pattern:only; http_uri; pcre:"/^\x2finsert\x2findex\x2fid\x2f\d+\x2fcount\x2f\d+_\d+/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/2f1e943405e5b6fa1c76541470fe1ace/detection; classtype:trojan-activity; sid:21520; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent-59544 connect to server"; flow:to_server,established; content:"POST"; http_method; content:"login.php"; nocase; http_uri; content:"Content-Type|3A|"; nocase; content:"multipart/form-data"; within:20; nocase; content:"Content-Length|3A|"; nocase; content:" 96|0D 0A|"; within:10; content:"|0D 0A 0D 0A|"; isdataat:!97,relative; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=d0a37291c865951be275f0b863a5c3483769a4eb9e3593bf99dc0030028d2c11; classtype:trojan-activity; sid:21518; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra connect to server"; flow:to_server,established; content:"POST"; http_method; content:"|2F|postModulo.php"; nocase; http_uri; content:"User-Agent"; nocase; http_header; content:"Mozilla|2F|3.0"; distance:0; fast_pattern; nocase; http_header; content:"arquivo="; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=2178f9df624644e50ad69e9359540139f1df8a975c8f7dd69226d4f7274588cc; classtype:trojan-activity; sid:21514; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vaxpy variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| HTTP Client"; fast_pattern:only; http_header; content:"sysname="; nocase; pcre:"/\x2f(onl|pro|up|imp)\x2ephp/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/a05507635483e89a86cba67d30ffa463/detection; classtype:trojan-activity; sid:21511; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBbot.V connect to server"; flow:to_server,established; content:"|38 0D FF 0A D7 EE 9D D7 EC 59 13 56|"; depth:12; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=ce52c8aee996dff00b4174b05e6c0037aa9983adfbc26fcc739442748692bcc1; classtype:trojan-activity; sid:21502; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4562 (msg:"MALWARE-CNC Win.Trojan.Saeeka variant outbound connection"; flow:to_server,established; content:"UPDATE"; depth:6; pcre:"/UPDATE\x7c\s*?\d{1,2}\x3a\d{2}\s+(AM|PM)\s*?\x7c/i"; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/76077fe5cd83fa7392fb94501113ab07/detection; classtype:trojan-activity; sid:21497; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4562 (msg:"MALWARE-CNC Win.Trojan.Saeeka variant outbound connection"; flow:to_server,established; content:"QCONNECT"; depth:8; pcre:"/^QCONNECT\x7c[^\x7c]+?\x7c[^\x7c]+?\x7c[^\x7c]+?\x7c\s*?\d{1,2}\x3a\d{2}\s*?(AM|PM)/i"; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/76077fe5cd83fa7392fb94501113ab07/detection; classtype:trojan-activity; sid:21496; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 300 (msg:"MALWARE-CNC Win.Trojan.Vilsel variant outbound connection"; flow:to_server,established; content:"Welcome"; depth:7; nocase; pcre:"/^Welcome\x7c[^\x7c]+?\x7c\d+\.\d+\.\d+\.\d+\x7c[^\x7c]+?\x7c[^\x7c]+?Windows[^\x7c]+?\x7c/i"; reference:url,www.virustotal.com/#/file/bacc3a868145ad71d6c29c38fa53b996/detection; classtype:trojan-activity; sid:21495; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"MALWARE-CNC Win.Trojan.Palevo variant outbound connection"; flow:to_server,established; content:"GET /.i/x.exe HTTP/1.1|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible)|0D 0A|Host|3A 20|"; fast_pattern:only; reference:url,www.virustotal.com/file/20bb94e14c7248c6ab27365eb414e271eb4ac635863c90862f6a0d553ac59bb4/analysis/; classtype:trojan-activity; sid:21487; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Accept: */*|0D 0A|"; content:"Cookie: cid="; distance:0; reference:url,www.virustotal.com/#/file/04e2cceb91cffef4573df6801b626c04/detection; classtype:trojan-activity; sid:21486; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Noobot variant outbound connection"; flow:to_server,established; content:"syun="; fast_pattern:only; http_uri; content:"meth="; http_uri; content:"tid="; http_uri; content:"cqe="; http_uri; content:"inif="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/7caaacf5cfa9c0b0b37761d4c1e9afbc/detection; classtype:trojan-activity; sid:21477; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lancafdo.A variant outbound connection"; flow:to_server,established; content:"_TEST_"; fast_pattern:only; content:"id="; nocase; http_client_body; content:"ln="; distance:0; nocase; http_client_body; content:"cn="; distance:0; nocase; http_client_body; content:"nt="; distance:0; nocase; http_client_body; content:"bid="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/ae77218a209712f1a8fc90d29cd5e3def2ed86396d7dea573646086a5aa4e7aa/analysis/; classtype:trojan-activity; sid:21474; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC Win.Trojan.GameThief variant outbound connection"; flow:to_server,established; content:"/cxgid/"; fast_pattern:only; http_uri; pcre:"/\x2fcxgid\x2f[^\x2f]+?\x2f\d+\x2f\d+\x2findex\.php$/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c53c3aa80836f1533ccfd5332cc04040/detection; classtype:trojan-activity; sid:21473; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf.tzp download"; flow:to_server,established; content:"GET"; http_method; content:"gate.php"; nocase; http_uri; content:"box="; nocase; http_uri; content:"take="; fast_pattern:only; http_uri; content:"uid="; nocase; http_uri; metadata:service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FChyup.B&ThreatID=-2147337682; reference:url,www.virustotal.com/file-scan/report.html?id=b49c28228ceb00519e23fdcf562c058ae6e0608326617f40cd70b1274d2511a4; classtype:trojan-activity; sid:21472; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"1=1&cliente="; http_client_body; content:"&oq="; within:8; nocase; http_client_body; content:"&categoria="; within:128; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/00a32546ff1e3911818c11b1a548a8fe9762aed5fd51e1607b7c36d07b02768f/analysis/; classtype:trojan-activity; sid:21471; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Krap.Gy connect to server"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: id="; nocase; http_header; content:"&smtp=ok&ver="; nocase; http_header; content:"*|3B| q=.2"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=2ba9c62f9f1fc5127fe7eec9fdc9a45e81c9edd35958b23e4c3bcd5386ca4fea; classtype:trojan-activity; sid:21470; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dama variant outbound connection"; flow:to_server,established; content:"nongmin"; depth:7; pcre:"/(\d{1,3}\x2e){3}\d{1,3}/R"; reference:url,www.virustotal.com/file/77ac8361b70fc5af8cab56092a2f80b243cda7bf2f2b18543bad33c5a8d3734e/analysis/; classtype:trojan-activity; sid:21468; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.IRCBot variant outbound connection"; flow:to_server,established; content:"JOIN #blackout|0A|"; nocase; reference:url,www.virustotal.com/file/30635185fa6f462693cfe70ca7088f30d8c0b0672a2bae38778d416e96bb710b/analysis/; classtype:trojan-activity; sid:21467; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"MALWARE-CNC Autorun.BDS runtime traffic detected"; flow:to_server,established; content:"JOIN |23 23|CB3|23 23|"; nocase; reference:url,www.virustotal.com/#/file/f5f8a7022e6b516dd9938b80721d318f/detection; classtype:trojan-activity; sid:21466; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Downloader-CEW.b runtime traffic detected"; flow:to_server,established; content:"|2F|sd56c1d56sc1d56sc.php"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/cee369b87a59a4be00c9a3e6fca71ad7/detection; classtype:trojan-activity; sid:21464; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Bibei variant inbound connection"; flow:to_client,established; file_data; content:"|2B 5A F6 FF CF FF FF FF BF FF FF FF 00 00 FF FF|"; content:"|ED BA 79 69 C8 FD F8 D8 09 89 D8 E9 29 FD C9 E9 19 19 09 B8|"; within:20; distance:61; metadata:service http; reference:url,www.virustotal.com/file/328e27c5fd84946c5b47f5af43ad00c294616c97fd80cddfa048a5c6937768f0/analysis/; classtype:trojan-activity; sid:21463; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.DarkComet variant outbound connection - post infection"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.virustotal.com/file/03b27372625487f3ed7567749da8050e60f2cd857b6227062afcfdee8d7e6cac/analysis/; classtype:trojan-activity; sid:21461; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.DarkComet inbound connection"; flow:to_client,established; content:"KeepAlive"; fast_pattern:only; pcre:"/KeepAlive\x7c\d{7}/"; flowbits:set,darkcomet; flowbits:noalert; reference:url,www.virustotal.com/file/03b27372625487f3ed7567749da8050e60f2cd857b6227062afcfdee8d7e6cac/analysis/; classtype:trojan-activity; sid:21460; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkComet variant outbound connection"; flow:to_server,established; content:"/Update/Update.bin"; fast_pattern:only; http_uri; metadata:service http; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:21456; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra.vec variant outbound connection"; flow:to_server,established; content:"/exec.php"; fast_pattern; nocase; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"form-data|3B| name=|22|exec|22|"; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/bbae8d5d3179b882ebcfe72a7ac36fa7e71c0ac6225c82ae51ac3f076efea695/analysis/; classtype:trojan-activity; sid:21454; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.djvk connect to server"; flow:to_server,established; content:"POST"; http_method; content:"|2F|images|2F|logos|2E|php"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0 (compatible|3B| Indy Library)|0D 0A|"; nocase; http_header; content:"praquem"; nocase; http_client_body; content:"titulo"; nocase; http_client_body; content:"texto"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=efc3a10427472357dfd37bc9f35d734e6e6de333ec1dfc1422e97458417f9181; classtype:trojan-activity; sid:21452; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent.djvk malicious hosts file download"; flow:to_client,established; file_data; content:"um arquivo HOSTS de exemplo"; fast_pattern:only; content:"127.0.0.1"; content:"localhost"; distance:0; nocase; content:"GbPluguin"; distance:0; nocase; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=efc3a10427472357dfd37bc9f35d734e6e6de333ec1dfc1422e97458417f9181; classtype:trojan-activity; sid:21451; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Obitel connect to cnc server"; flow:to_server,established; content:"getfkjenfkefnekrfnerkfwkl.php"; nocase; http_uri; content:"id"; distance:0; nocase; http_uri; content:"User-Agent|3A 20|ie|0D 0A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=cc8e12fa6a0cb5af411b31dc9d85d99dc9a1a50dc29f5042d631a560add17708; classtype:trojan-activity; sid:21450; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Obitel install"; flow:to_server,established; content:"/guess4.exe"; nocase; http_uri; content:"User-Agent|3A 20|ie|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=cc8e12fa6a0cb5af411b31dc9d85d99dc9a1a50dc29f5042d631a560add17708; classtype:trojan-activity; sid:21449; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Webmoner.zu connect to server"; flow:to_server,established; content:"GET"; http_method; content:"bb.php?&&&&AAAA&&&&"; nocase; http_uri; content:"&id="; distance:0; http_uri; content:"&b=trafff"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=ab2f70c210ed20b0bc495b7227938d2ef50ec38d94e1b177060851f4a983d560; classtype:trojan-activity; sid:21448; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)"; fast_pattern:only; http_header; content:"HOST|3A|"; http_header; content:!"X-BlueCoat-Via"; nocase; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS; reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:21444; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11; base64_decode:relative; base64_data; content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5; distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/?ini="; http_uri; content:"data="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9fd42ddde9f50512f9611da187232bb17b8ded18e2ba5833203e025281cc575f/analysis/; classtype:trojan-activity; sid:21441; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Murofet variant outbound connection"; flow:to_server,established; content:".php?w="; nocase; http_uri; content:"&n="; distance:0; http_uri; content:".cn|0D 0A|"; http_header; pcre:"/\.php\x3fw\x3d\d+\x26n\x3d\d+/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/aeab4913c8bb1f7f9e40258c323878969b439cf411bb2acab991bba975ada54e/analysis/; classtype:trojan-activity; sid:21440; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Startpage variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/get_config.cgi"; http_uri; content:"x-company|3A 20|soft2pcfr"; http_header; content:"User-Agent|3A 20|EoAgence"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/c96a0bbedc16bc05904b3d60b63976825efa23493a01410c7c8d0cad7b1551c7/analysis/; classtype:trojan-activity; sid:21436; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Mentor inbound connection - post infection"; flow:to_client,established; flowbits:isset,trojan.mentor; file_data; content:"[UPDATE]|0D 0A|VER = "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21435; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mentor variant outbound connection"; flow:to_server,established; content:"/updates.ini"; http_uri; content:!"Referer"; http_header; flowbits:set,trojan.mentor; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/file/e7b27ac6d0268b4170a428fdec827078d36723e2abace1fc521cc6e5c6310e54/analysis/; classtype:trojan-activity; sid:21434; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BeeOne runtime traffic detected"; flow:to_client,established; file_data; content:"cbs.firstcitiz"; content:"ibbpowerlink.com"; distance:0; content:"cashmanager.mizuhoe-treasurer.com"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/1f14a55b06447c5e8b4c7f4153314daf295aaf413d8c645263273574b755e71f/analysis/; classtype:trojan-activity; sid:21430; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Generic-24 variant outbound connection"; flow:to_server,established; content:".php?email="; http_uri; content:"&lici="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:!"User-Agent|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/633b96e0c60187b5c583686e75eddabe1cb635d46b794d335ceb81a3944a0806/analysis/; classtype:trojan-activity; sid:21428; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/update.aspx"; fast_pattern; http_uri; content:"Accept-Language|3A 20|zh-cn|0D 0A|"; http_header; content:"a="; depth:2; http_client_body; content:"&v="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21427; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:"/tadonot.php"; http_uri; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; content:"pcnome="; depth:7; fast_pattern; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0f1f5002b63f0fbd1014951ee762084fd34de66e8e867e63e63712f4cba8f303/analysis/; classtype:trojan-activity; sid:21426; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10086 (msg:"MALWARE-CNC Win.Trojan.Ghodow.A exe file download"; flow:to_server,established; content:"GET"; depth:3; content:".exe"; distance:0; pcre:"/GET[^\x0d\x0a]*\x2Eexe/"; reference:url,www.virustotal.com/file-scan/report.html?id=dea8c2635f90a9cad39c9bc1cce605ee770c622947dc4a51afa9259007ba8c5d; classtype:trojan-activity; sid:21425; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8881 (msg:"MALWARE-CNC Win.Trojan.Ghodow.A connect to cnc"; flow:to_server,established; content:"GET"; depth:3; content:"|2F|count.aspx"; within:11; distance:1; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=dea8c2635f90a9cad39c9bc1cce605ee770c622947dc4a51afa9259007ba8c5d; classtype:trojan-activity; sid:21424; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FareIt variant outbound connection"; flow:to_server,established; content:"CRYPTED0"; depth:8; http_client_body; content:"POST"; http_method; content:".php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/659ea4753a64cce6ac15e78802a21c5ba75596ff5a9d112295ba3484b1033064/analysis/; reference:url,www.virustotal.com/file/f159e0e7ae312472e09742d8f9d7a45e655a943cf2ec3195f56c6af15df1039a/analysis/; classtype:trojan-activity; sid:21418; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankpatch authentication string detected"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"MDAwMDAwMDAwMDAwMDAwMDAwMTA"; http_client_body; metadata:service http; reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; classtype:trojan-activity; sid:21416; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Vobfus.DL variant outbound connection cont"; flow:to_server,established; content:"/gate.php"; nocase; http_uri; content:"Content-Encoding|3A| binary"; http_header; content:"FILE0|00|"; depth:6; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/a4a763e350329cd1a4b325e33802e82da4b3bab1af5ca0a0aaa12eaecb7897e1/analysis/; classtype:trojan-activity; sid:21404; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Vobfus.DL variant outbound connection"; flow:to_server,established; content:"?pr=gA924CD"; nocase; http_uri; pcre:"/\x3fpr=gA924CD[0-9a-z%]{20}/Ui"; metadata:service http; reference:url,www.virustotal.com/file/a4a763e350329cd1a4b325e33802e82da4b3bab1af5ca0a0aaa12eaecb7897e1/analysis/; classtype:trojan-activity; sid:21403; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ponfoy.A variant outbound connection"; flow:to_server,established; content:".php?country="; nocase; http_uri; content:"&os="; distance:0; nocase; http_uri; content:"&pc="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/file/bc29547ef9ce8f1490e1feade8952a687b32b015c5e4500f518768808df2d98d/analysis/; classtype:trojan-activity; sid:21402; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kenzor.B variant outbound connection"; flow:to_server,established; content:"&pc_memory="; http_client_body; content:"&pc_img="; within:20; http_client_body; content:"&email="; distance:0; http_client_body; content:"&password="; distance:0; http_client_body; content:"&sex="; distance:0; metadata:service http; reference:url,www.virustotal.com/file/5e92dd5fe8561605a0ecb138725d27373503d129195357edf3e8eef6a0a4685c/analysis/; classtype:trojan-activity; sid:21401; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kenzor.B variant outbound connection"; flow:to_server,established; content:"uid="; http_client_body; content:"&pc_user="; within:40; http_client_body; content:"&pc_domein="; distance:0; http_client_body; content:"&pc_name="; distance:0; http_client_body; content:"&pc_dir="; distance:0; metadata:service http; reference:url,www.virustotal.com/file/5e92dd5fe8561605a0ecb138725d27373503d129195357edf3e8eef6a0a4685c/analysis/; classtype:trojan-activity; sid:21400; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.dcac runtime traffic detected"; flow:to_server,established; content:"/auctionline/openshopmanager/chk.php"; nocase; http_uri; content:"User-Agent: openshopmanager"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/193c7df1007feac27b601aee2b2f68ac/detection; classtype:trojan-activity; sid:21391; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Agobot.dl runtime traffic detected"; flow:to_server,established; content:"JOIN |23|fsckyou .spreadx."; depth:23; nocase; reference:url,www.virustotal.com/#/file/6b702fbcdc9989c8d59d1c78b7eef0bb/detection; classtype:trojan-activity; sid:21390; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wadolin.A runtime traffic detected"; flow:to_server,established; content:"mipolas.com"; nocase; http_header; content:"/l/banner.php"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/30643794a4cc9191ad7e237df1464b09/detection; classtype:trojan-activity; sid:21386; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nuqel.Q host freewebs.com runtime traffic detected"; flow:to_server,established; content:"/setting.doc"; nocase; http_uri; content:"www.freewebs.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/5621abf87c259a03fffb09bc376e3553/detection; classtype:trojan-activity; sid:21384; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nuqel.Q host 9999mb.com runtime traffic detected"; flow:to_server,established; content:"/setting.doc"; nocase; http_uri; content:"setting3.9999mb.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/5621abf87c259a03fffb09bc376e3553/detection; classtype:trojan-activity; sid:21383; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nuqel.Q host setting3.yeahost.com runtime traffic detected"; flow:to_server,established; content:"/setting.doc"; nocase; http_uri; content:"setting3.yeahost.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/5621abf87c259a03fffb09bc376e3553/detection; classtype:trojan-activity; sid:21382; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dialer.ngb runtime traffic detected"; flow:to_server,established; content:"/Dialer|5F|Min/number.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/7b1da8dc4f5756ab715fc02dd53a04e9/detection; classtype:trojan-activity; sid:21381; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Genome.Amqj runtime traffic detected"; flow:to_server,established; content:"/hardclean/HardCUp.idx"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c982a5a595ca86ea266e67ecba03affb/detection; classtype:trojan-activity; sid:21379; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Microjoin activity detected"; flow:to_server,established; content:"/s/exx"; depth:6; nocase; http_uri; content:".php"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/report.aspx?md5=1541f1ee43a7e2441102085357193a09; classtype:trojan-activity; sid:21376; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bifrose.EF runtime traffic detected"; flow:to_server,established; content:"/Gateway/sendmail.php"; nocase; http_uri; content:"www.odesayazilim.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=b3488b084597cdf912e73e4368591c41; classtype:trojan-activity; sid:21374; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malware Defense runtime traffic detected"; flow:to_server,established; content:"/md|5F|db"; nocase; http_uri; content:"onlinesecureserver.cn"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=ee36ecf17d37f2fb7667586ee2cf3d1b; classtype:trojan-activity; sid:21373; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malware Defense runtime traffic detected"; flow:to_server,established; content:"/md|5F|db"; nocase; http_uri; content:"briefscaner.cn"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=ee36ecf17d37f2fb7667586ee2cf3d1b; classtype:trojan-activity; sid:21372; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wallop.de runtime traffic detected"; flow:to_server,established; content:"/file.vul"; nocase; http_uri; content:"belmeb.net"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=2b94add1517647883f4265d6b6634293; classtype:trojan-activity; sid:21369; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wallop.de runtime traffic detected"; flow:to_server,established; content:"/file.vul"; nocase; http_uri; content:"vulnash.narod.ru"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=2b94add1517647883f4265d6b6634293; classtype:trojan-activity; sid:21368; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32 VB.abcl runtime traffic detected"; flow:to_server,established; content:"/Main.exe"; nocase; http_uri; content:"www.lord|2D|ps.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=efdfaa0a1877a7a1c111a7dade7276c0; classtype:trojan-activity; sid:21367; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8277 (msg:"MALWARE-CNC DOQ.gen.y INSTALL traffic detected"; flow:to_server,established; content:"tempxxp.3322.org"; nocase; http_header; content:"/log.css"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=fe7f4a557697e0f3d1d87b09218a2be3; classtype:trojan-activity; sid:21366; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8277 (msg:"MALWARE-CNC DOQ.gen.y RUNTIME traffic detected"; flow:to_server,established; content:"User|2D|Agent|3A| MyLove"; nocase; http_header; content:"/log.txt"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=fe7f4a557697e0f3d1d87b09218a2be3; classtype:trojan-activity; sid:21365; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC DOQ.gen.y RUNTIME traffic detected"; flow:to_server,established; content:"User|2D|Agent|3A| MyApp"; fast_pattern:only; http_header; content:"/countlog/count.asp"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=fe7f4a557697e0f3d1d87b09218a2be3; classtype:trojan-activity; sid:21364; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS.aa runtime traffic detected"; flow:to_server,established; content:"graduallygot.cn"; fast_pattern:only; http_header; content:"/css/crcmds/main"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/latestreport.html?resource=7fba26357763cde0e1c7b268f36680cf; classtype:trojan-activity; sid:21362; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 2020 (msg:"MALWARE-CNC Worm.Win32.TDownland.ca runtime traffic detected"; flow:to_server,established; content:"|00 00 00 00 00 12 00 00 00 00|"; depth:10; reference:url,www.virustotal.com/latestreport.html?resource=89ab7d8e7c7b8d5802b85365bae2d6ce; classtype:trojan-activity; sid:21361; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 220 (msg:"MALWARE-CNC Win32 Agent.dbzx runtime traffic detected"; flow:to_server,established; content:"|38 1F 2E 44 27 60 CE F8 BE BC 1A 4B 05 2D EF BB|"; depth:16; reference:url,www.virustotal.com/latestreport.html?resource=a4754be7b34ed55faff832edadac61f6; classtype:trojan-activity; sid:21360; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.VB.jju runtime traffic detected"; flow:to_server,established; content:"MODE USA|7C|"; depth:9; nocase; content:"JOIN |23|fuck"; within:25; distance:10; nocase; reference:url,www.virustotal.com/latestreport.html?resource=c9cb09702d6b75d5b8252df08dcd0027; classtype:trojan-activity; sid:21359; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV TDSS/PurpleHaze variant outbound connection - base64 encoded"; flow:to_server,established; content:"Accept-Language|3A 20|en-US|0D 0A|User-Agent|3A 20|Mozilla/4.0|20|(compatible"; fast_pattern:only; http_header; content:!"Referer"; http_header; pkt_data; content:"GET /"; depth:5; base64_decode:relative; base64_data; content:"cl|7C|1.6|7C|"; content:"|7C|161"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:trojan-activity; sid:21318; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dofoil variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/hhh/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21313; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dofoil variant outbound connection"; flow:to_server,established; content:"/send/log.php"; http_uri; content:"id="; http_client_body; content:"link="; distance:0; http_client_body; content:"password="; distance:0; http_client_body; content:"debug="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; reference:url,www.virustotal.com/file/3cf5e228deffb924d84ffbc8975f9cf1f62837078793bced52be6a3adf2d6d47/analysis/; classtype:trojan-activity; sid:21311; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spyeye variant outbound connectivity check"; flow:to_server,established; content:"/ib2/"; http_uri; content:"Referer|3A 20|http|3A 2F 2F|disney.com|2F|index.html"; http_header; pcre:"/\x2fib2\x2f$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/10b9e42a99890e672c8d3da3bdbe375d681ec9c21a7f7e165041186614d51584/analysis/; classtype:trojan-activity; sid:21306; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"MALWARE-CNC Win32 Initor.ag runtime traffic detected"; flow:to_server,established; content:"|D9 7A 50 65 BD F5 AE D8|"; depth:8; offset:40; reference:url,www.virustotal.com/#/file/1eb4d982c2531d44e1536bcbf4ec27a4/detection; classtype:trojan-activity; sid:21303; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancodor.be runtime traffic detected"; flow:to_server,established; content:"recallbr.com"; fast_pattern:only; http_header; content:"/img/temp.cfg"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c45ab24b85a6a31164a73968e068ff45/detection; classtype:trojan-activity; sid:21294; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 15963 (msg:"MALWARE-CNC Win32 Turkojan.C runtime traffic detected"; flow:to_server,established; content:"sinturkojan"; depth:11; nocase; reference:url,www.virustotal.com/#/file/9d4886470e9f3f7cb71ade62e3d77ddc/detection; classtype:trojan-activity; sid:21280; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot.s runtime traffic detected"; flow:to_server,established; content:"0x1337.0x.ohost.de"; fast_pattern:only; http_header; content:"/de/stat.php"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/aa07cc1b1b4e95d7764676c0572f6d85/detection; classtype:trojan-activity; sid:21279; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shexie.A runtime traffic detected"; flow:to_server,established; content:"/04/rc04.htm"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/7bc0a739ae13b28db9e3a6194a768aa5/detection; classtype:trojan-activity; sid:21277; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hupigon.hddn install time traffic detected"; flow:to_server,established; content:"/setup.exe"; nocase; http_uri; content:"www.sunkub.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=2285527cd528add5ce34a835ea056a68; classtype:trojan-activity; sid:21276; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hupigon.hddn runtime traffic detected"; flow:to_server,established; content:"/control/adsetup.zip"; fast_pattern:only; http_uri; content:"www.tumawo.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=2285527cd528add5ce34a835ea056a68; classtype:trojan-activity; sid:21275; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tusha variant runtime traffic detected"; flow:to_server,established; content:"/mx/memo01/ppp/listdir.php|3F|dir|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/686738eb5bb8027c524303751117e8a9/detection; classtype:trojan-activity; sid:21274; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tusha variant runtime traffic detected"; flow:to_server,established; content:"/on/page01/ppp/listdir.php|3F|dir|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/686738eb5bb8027c524303751117e8a9/detection; classtype:trojan-activity; sid:21273; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cycbot variant outbound connection"; flow:to_server,established; content:"?sv="; fast_pattern; http_uri; content:"&tq="; distance:0; http_uri; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_header; pcre:"/\x3fsv\x3d\d{1,3}\x26tq\x3d/smiU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21269; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sirefef.P variant outbound connection"; flow:to_client,established; flowbits:isset,sirefef.run; content:"CountUid="; nocase; content:"CountUid="; nocase; http_cookie; content:"_hstbhid="; nocase; http_cookie; file_data; content:"GIF"; depth:3; metadata:service http; reference:url,www.virustotal.com/en/file/2306a17d800668966e0de97e5d6179bad3bed518502a44725b34e3e506200c3c/analysis/; classtype:trojan-activity; sid:21252; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sirefef.P variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent: Opera/6 (Windows NT"; nocase; http_header; content:"Cookie|3A 20 0D 0A|"; fast_pattern; nocase; http_header; content:"0.gif"; nocase; http_uri; flowbits:set,sirefef.run; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/en/file/2306a17d800668966e0de97e5d6179bad3bed518502a44725b34e3e506200c3c/analysis/; classtype:trojan-activity; sid:21251; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBasddsa.A runtime traffic detected"; flow:to_server,established; content:"bot/log.php|3F|"; nocase; http_uri; content:"id|3D|"; nocase; http_uri; content:"|2B|New|2B|Infection"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c87b0e2e68cdbf3d88a2f235e1cc54c3/detection; classtype:trojan-activity; sid:21250; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBasddsa.A runtime traffic detected"; flow:to_server,established; content:"bot/command.php|3F|"; nocase; http_uri; content:"id|3D|"; nocase; http_uri; content:"|26|ver|3D|"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/c87b0e2e68cdbf3d88a2f235e1cc54c3/detection; classtype:trojan-activity; sid:21249; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; flow:to_server,established; content:"/redirect.php?id="; http_uri; content:"&u="; distance:0; http_uri; content:"&cv="; distance:0; http_uri; content:"&sv="; distance:0; http_uri; content:"&os="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/735fd8ce66e6f0e412f18242d37c12fb38f26f471051eac2f0fe2df89d0e4966/analysis/; classtype:trojan-activity; sid:21242; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater initial variant outbound connection"; flow:to_server,established; content:"/search?qu="; http_uri; content:"User-Agent|3A 20|Firefox|2F|2.0.0.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21241; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; flow:to_server,established; content:"/search"; http_uri; content:"?h1="; distance:0; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"&h4="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21240; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"/logo.png?"; http_uri; content:"&tq="; distance:0; http_uri; content:"gSoSEU"; distance:0; http_uri; pcre:"/logo\.png\x3f(sv\x3d\d{1,3})?\x26tq\x3d.*?SoSEU/smiU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b9231471a9af849ccf3690ebc12cdc7ac4d942f6e417ba7261e7a4414bf1e329/analysis/; classtype:trojan-activity; sid:21239; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bedobot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/?I=1"; nocase; http_uri; content:"P="; depth:2; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/07125a09553707277495b50f56ea4b15804923e24f9cf4085974ceedb30655d0/analysis/; classtype:trojan-activity; sid:21231; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betad variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/login.php"; nocase; http_uri; content:"|C9 97 A2 F3 7E 37 CB 7E 27|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e9/analysis/; classtype:trojan-activity; sid:21230; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Synljdos variant outbound connection"; flow:to_server,established; content:"|3C 41 49 6F 02 C4 36 1C 2E 61 D7 05 5E BA 4D 4E|"; depth:16; reference:url,www.virustotal.com/en/file/e249991fde0d6198c40ad5cefef3ef3f6a9a06b2d01945f3acbf52cd948e9d38/analysis/; classtype:trojan-activity; sid:21229; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Cerberat variant outbound connection"; flow:to_server,established; dsize:32<>384; content:"Ypmw1Syv023Q"; depth:12; reference:url,www.virustotal.com/#/file/bd0e371ef7e73a26a0864f96e78dc8d3/detection; classtype:trojan-activity; sid:21228; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bulknet variant outbound connection"; flow:to_server,established; dsize:>61; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; isdataat:50,relative; reference:url,www.virustotal.com/en/file/c8a18969ede4c5999a485a3c2957491cffcc9d900d605f1bff507e1efadd8d9a/analysis/; classtype:trojan-activity; sid:21227; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Louisdreyfu.A variant outbound connection"; flow:to_server,established; content:"?hostname="; nocase; http_uri; content:"&httptype="; distance:0; nocase; http_uri; content:"httptunnel"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/e2faf04b15a6acaea6ed40ef16a900b187f4df1359de9d796c1903e83a47505a/analysis/; classtype:trojan-activity; sid:21226; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.MacOS.DevilRobber.A variant outbound connection"; flow:to_server,established; dsize:36<>44; content:"STOR 0x"; depth:7; nocase; content:"_0"; within:2; distance:8; content:"_0"; within:4; distance:7; content:".zip|0D 0A|"; within:8; distance:7; nocase; metadata:service ftp; reference:url,www.virustotal.com/en/file/584e1db5b5172471dbf4746d6f827dd49eb96031ea5c7381468db4ec3d0c8d59/analysis/; classtype:trojan-activity; sid:21224; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Gyplit.A variant outbound connection"; flow:to_server,established; content:"/log"; depth:64; offset:4; content:"|0D 0A 0D 0A 79 7F 24 7F 80 7D|"; within:256; distance:32; reference:url,www.virustotal.com/en/file/fb2aa395647558efec49a41d48aeff3f079d6c61eaa64fd7e25601caba9ac141/analysis/; classtype:trojan-activity; sid:21223; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Kcahneila.A variant outbound connection"; flow:to_server,established; dsize:50<>500; content:"INFO|7C|Infected"; depth:13; nocase; pcre:"/^.+\x7c(\d{1,3}\x2e){3}\d{1,3}\x7c/GR"; reference:url,www.virustotal.com/en/file/e3384e084cc7878a4e33c1b29064d548a36a0f54da6f5e91c0bc81e9208300d0/analysis/; classtype:trojan-activity; sid:21222; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"MALWARE-CNC Win.Trojan.Susnatache.A variant outbound connection"; flow:to_server,established; dsize:11; content:"emptycache|00|"; nocase; reference:url,www.virustotal.com/en/file/7a00a49c07d25fe37a6d563f683e07d0b18ad80fb860efc686629be4c33c1d22/analysis/; classtype:trojan-activity; sid:21221; rev:5;)
# alert tcp $EXTERNAL_NET 1800 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Susnatache.A inbound connection"; flow:to_client,established; dsize:7<>50; content:"susnata"; depth:7; nocase; reference:url,www.virustotal.com/en/file/7a00a49c07d25fe37a6d563f683e07d0b18ad80fb860efc686629be4c33c1d22/analysis/; classtype:trojan-activity; sid:21220; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9088 (msg:"MALWARE-CNC Win.Trojan.Sysckbc variant outbound connection"; flow:to_server,established; content:"1#2#"; depth:4; fast_pattern; content:"Service Pack"; distance:0; nocase; reference:url,www.virustotal.com/en/file/35d916c7cf7cab30f1a17ca3eeffeb2acd8852a1908e214a425fa36067920944/analysis/; classtype:trojan-activity; sid:21219; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sodager.C variant outbound connection"; flow:to_server,established; content:"/?MD5="; http_uri; pcre:"/[A-Z]{10,30}\x2f\x3fMD5\x3d[0-9a-f]{32}/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/2ba223b6c0a2fa0a69c521dd430ce31910a057e8e0d803f22bb5264b51fffc8f/analysis/; classtype:trojan-activity; sid:21218; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.Am variant outbound connection"; flow:to_server,established; content:"table1|3D|"; nocase; http_client_body; content:"|26|table2|3D|"; within:8; distance:4; nocase; http_client_body; content:"|26|table3|3D|"; within:8; distance:4; nocase; http_client_body; content:"|26|table40|3D|"; within:9; distance:466; http_client_body; content:"|26|nds|3D|"; within:5; distance:4; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/c3a8b438c4ba2ea7f193ec6acb81ec9ddaa1bfeb07d046e30042b739cdb613d6/analysis/; classtype:trojan-activity; sid:21217; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.Am variant outbound connection"; flow:to_server,established; content:"agencia|3D|"; nocase; http_client_body; content:"|26|conta|3D|"; within:7; distance:4; nocase; http_client_body; content:"|26|senhaeletronica|3D|"; within:17; distance:6; nocase; http_client_body; content:"|26|senhadocartao|3D|"; within:15; distance:8; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/c3a8b438c4ba2ea7f193ec6acb81ec9ddaa1bfeb07d046e30042b739cdb613d6/analysis/; classtype:trojan-activity; sid:21216; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.Am variant outbound connection"; flow:to_server,established; content:"he|3D|"; nocase; http_client_body; content:"|26|topo|3D|"; within:64; distance:1; nocase; http_client_body; content:"|26|msg|3D|PC"; within:64; distance:3; nocase; http_client_body; content:"Dt"; within:64; distance:3; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/c3a8b438c4ba2ea7f193ec6acb81ec9ddaa1bfeb07d046e30042b739cdb613d6/analysis/; classtype:trojan-activity; sid:21215; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Cridex.B variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/ram/in/index.php"; fast_pattern:only; http_uri; content:".exe0"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/261433a591319a903b2bcd9c97f73f9e1d61c601849a3a9651976c454cd6205d/analysis/; classtype:trojan-activity; sid:21213; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Hupigon.nkor variant outbound connection"; flow:to_server,established; dsize:5; content:"HTTP|00|"; depth:5; nocase; reference:url,www.virustotal.com/en/file/505d210dc2131b6ff59383df29f63d641c6a201dbfa3c3fe10922c32f385d3f2/analysis/; classtype:trojan-activity; sid:21212; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.slrj variant outbound connection"; flow:to_server,established; content:"upd=aviso&maquina="; nocase; http_client_body; content:"&dados="; within:64; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/9f9640cc6bdcb671ea74fa5baa0509acb842ca6a930e374a256e268314c6167d/analysis/; classtype:trojan-activity; sid:21211; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rallovs.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/query.asp"; http_uri; content:"Content-Length|3A| 11"; nocase; http_header; content:"ID=FFFFFFFF"; fast_pattern; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/902fbe690f4d0677d62e254d59584c3ef33e501e379a88c98edfe6e029a84db2/analysis/; classtype:trojan-activity; sid:21210; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Enviserv.A variant outbound connection"; flow:to_server,established; content:".html?nhSzgF"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/03b29dd555a85e8db94b94aa3b535a79b542eab41c24e82d57248fb800e876d2/analysis/; classtype:trojan-activity; sid:21209; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4455 (msg:"MALWARE-CNC Win.Trojan.RShot.brw variant outbound connection"; flow:to_server,established; dsize:<120; content:"connected#"; depth:10; content:"#Windows"; distance:0; pcre:"/\x23\d{2}\x3a\d{2}\x3a\d\d$/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6794c1cb09ec3f42f2732369c8c25a5999eb908262cd75d1a4cda4d25adf8a37/analysis/; classtype:trojan-activity; sid:21208; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dekara.A variant outbound connection"; flow:to_server,established; content:"/connect.php?hwid="; nocase; http_uri; content:"&pc="; distance:0; nocase; http_uri; pcre:"/\x3Fhwid\x3D[0-9a-f]{4}\x2D[0-9a-f]{4}\x26/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/ce1e77bd7c3ec303d89f9215d1e4ddd945030daa6da69ebefcbaaaf87d49d975/analysis/; classtype:trojan-activity; sid:21207; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Virus Win.Trojan.Induc.B variant outbound connection"; flow:to_server,established; content:"/image.php?u=696"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4a3b7d8ee8db1bf0698ddad82b5b68b1c6e37def1bee3f45da1a1c7a35cf9d1b/analysis/; classtype:trojan-activity; sid:21205; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Virus Win.Trojan.Induc.B variant outbound connection"; flow:to_server,established; content:"/49/49632.jpg"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4a3b7d8ee8db1bf0698ddad82b5b68b1c6e37def1bee3f45da1a1c7a35cf9d1b/analysis/; classtype:trojan-activity; sid:21204; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Virus Win.Trojan.Induc.B variant outbound connection"; flow:to_server,established; content:"/av-33970.jpg"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4a3b7d8ee8db1bf0698ddad82b5b68b1c6e37def1bee3f45da1a1c7a35cf9d1b/analysis/; classtype:trojan-activity; sid:21203; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scapzilla.A variant outbound connection"; flow:to_server,established; content:"_3d HTTP/"; depth:9; offset:21; nocase; content:!"|0A|User-Agent|3A|"; nocase; pcre:"/\x2f[0-9A-Z]{15}_3d/Ui"; metadata:service http; reference:url,www.virustotal.com/en/file/8d0162c0a6b4cd6e0f25f0b785efe45351d2a57d16fe3ae29a2c396ba676eb58/analysis/; classtype:trojan-activity; sid:21202; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes.cmu variant outbound connection"; flow:to_server,established; content:"Content-Disposition|3A 20|form-data|3B 20|name=|22|data|22|"; http_client_body; content:"OLfa"; http_client_body; content:"FDyK"; within:4; distance:4; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/eebeb9512133eda8cdaf07b98035e764a5e2093dffe45e8e226514dc4e66073d/analysis/; classtype:trojan-activity; sid:21201; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes.cmu variant outbound connection"; flow:to_server,established; content:"Content-Disposition|3A 20|form-data|3B 20|name=|22|data|22|"; http_client_body; content:"OLfa"; http_client_body; content:"RC+d"; within:4; distance:4; http_client_body; metadata:service http; reference:url,www.virustotal.com/file/eebeb9512133eda8cdaf07b98035e764a5e2093dffe45e8e226514dc4e66073d/analysis/; classtype:trojan-activity; sid:21200; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qinubot.A variant outbound connection"; flow:to_server,established; content:"program=bot&country="; nocase; http_client_body; content:"&hwid="; within:128; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/3556c64cc381d3dc8ff70333b7c6cb5d4ac41c1b79f27f16e279010b11643920/analysis/; classtype:trojan-activity; sid:21199; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qinubot.A variant outbound connection"; flow:to_server,established; content:"program="; nocase; http_client_body; content:"&name="; within:48; nocase; http_client_body; content:"&opsys=Win"; within:48; nocase; http_client_body; content:"&hwid="; within:64; distance:2; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/3556c64cc381d3dc8ff70333b7c6cb5d4ac41c1b79f27f16e279010b11643920/analysis/; classtype:trojan-activity; sid:21198; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw.A variant outbound connection"; flow:to_server,established; content:"id="; http_client_body; content:"&bid="; within:32; nocase; http_client_body; content:"&query=sniff&data="; within:32; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/870a7f1a6ba8bf6d8cb3af27b7ffb95046247d1c457d4fc2f8ec8ee5e9325d69/analysis/; classtype:trojan-activity; sid:21197; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/client.html"; nocase; http_uri; content:"id="; nocase; http_client_body; content:"&query=sniff"; within:64; distance:8; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/870a7f1a6ba8bf6d8cb3af27b7ffb95046247d1c457d4fc2f8ec8ee5e9325d69/analysis/; classtype:trojan-activity; sid:21196; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Protux.B variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:512; offset:10; byte_test:2,>,0,0,relative,little; byte_jump:2,0,relative,little; pcre:"/^..$/R"; metadata:service http; reference:url,www.virustotal.com/en/file/d07b1f8f8c2dec9126d087fa3f2f95801888848eb8051b005238f4e6516f1fd2/analysis/; classtype:trojan-activity; sid:21195; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Wealwedst.A variant outbound connection"; flow:to_server,established; content:"Stealer by "; depth:11; nocase; content:"Windows Key|3A 20|"; within:64; distance:64; reference:url,www.virustotal.com/en/file/d4f86317be349ad7de04a52de51ec3c465da7bc1f304ff063dfc90bd2c0ad274/analysis/; classtype:trojan-activity; sid:21194; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalbot.A variant outbound connection"; flow:to_server,established; content:"Y29tbWFuZD1H"; content:"Y29tbWFuZD1H"; http_cookie; metadata:service http; reference:url,www.virustotal.com/en/file/c15a46b25148edccfad9ee52527e4adc9c91a79a28a3ddbd8fa1a0d08f643190/analysis/; classtype:trojan-activity; sid:21193; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Syswrt.dvd variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/CMS_SubitAll.cgi"; fast_pattern:only; http_uri; content:!"User|2D|Agent|3A| "; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/010b94c4d4c789ab4d6ad7ad56c8b227ef7e2aac891512dfad8cee4ec2b8214a/analysis/; classtype:trojan-activity; sid:21192; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Xlahlah.A variant outbound connection"; flow:to_server,established; content:"|17 00 00 00 0A 00 00 00 74|"; depth:9; offset:5; reference:url,www.virustotal.com/en/file/81820903a09632ca704e6f8f274f3c1c4532c84c8bc81c2208856dab4405e60e/analysis/; classtype:trojan-activity; sid:21187; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Worm.Win32.Kufgal.A inbound connection"; flow:to_client,established; file_data; content:"[index]"; nocase; content:"[pop]"; distance:0; nocase; content:"[file]"; distance:0; nocase; content:"[buffer]"; distance:0; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/659eadd06f46e31d3d2573624d2e04e0c65bc476d8e46efaa93c2e5906a02fea/analysis/; classtype:trojan-activity; sid:21185; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.alfu variant outbound connection"; flow:to_server,established; content:"/install.asp?version="; nocase; http_uri; content:"code="; distance:0; nocase; http_uri; content:"mac="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/7fed65672b9d4327e1653cafa7a307be470d869193452348cb38ab4dfbb14abe/analysis/; classtype:trojan-activity; sid:21183; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5011 (msg:"MALWARE-CNC Win.Trojan.MeSub.ac variant outbound connection"; flow:to_server,established; content:"$0&1"; depth:4; reference:url,www.virustotal.com/en/file/e476a942276c8127c9cb7f0e86fc52dcb4e55a4308b11c7ed091e7b8a77eabec/analysis/; classtype:trojan-activity; sid:21182; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.czgu variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/pw.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/852ac8ee557fd743ff16b01307013ede91b1a2f906bac957a845cf8ad4c3ceb6/analysis/; classtype:trojan-activity; sid:21181; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Magania.clfv variant outbound connection"; flow:to_server,established; content:"/1mg/am1.rar"; fast_pattern:only; http_uri; content:!"Referer"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/564c9163ba16afec4569ea71c373e12be46cfbdb4fd6c3c08b85a6a7ca74c1e6/analysis/; classtype:trojan-activity; sid:21180; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Coofus.RFM variant outbound connection"; flow:to_server,established; content:"UserName|3A| "; depth:10; nocase; content:"|0A|HostName|3A|"; within:42; nocase; content:"|0A|Address "; within:64; distance:22; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/450b8d3ed526e2810521537d201883203bc097204abab734fb18669f853190bf/analysis/; classtype:trojan-activity; sid:21179; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Chekafe.A variant outbound connection"; flow:to_server,established; content:"&isInst="; depth:64; offset:6; nocase; content:"&lockcode="; within:15; nocase; content:"&PcType="; within:64; distance:22; nocase; content:"&AvName="; within:32; nocase; content:"User-Agent|3A| my_check_data|0D 0A|"; within:100; distance:20; nocase; reference:url,www.virustotal.com/en/file/ffe0e6edad3bab11e4d6d5799c2d0858c70b8a9f71df6d4067faa6bf5f2513db/analysis/; classtype:trojan-activity; sid:21178; rev:6;)
# alert tcp $EXTERNAL_NET 2222 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Ganipin.A inbound connection"; flow:to_client,established; dsize:9; content:"COMMAND_"; depth:8; reference:url,www.virustotal.com/en/file/0c3af6fd1ac08104b4ffc5b97a7b8643bc96d2d0e9108b04bf5202cb2574bda9/analysis/; classtype:trojan-activity; sid:21177; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stegae.A runtime traffic detected"; flow:to_server,established; content:"|2F|bcaw2|2F|gate|2E|php"; fast_pattern:only; http_uri; content:"[]=%"; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/fc34996dfae51c62be50d19fcfc43699/detection; classtype:trojan-activity; sid:21151; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neraweq.A runtime traffic detected"; flow:to_server,established; content:"|2F|check|5F|system|2E|php"; fast_pattern; nocase; http_uri; content:"User|2D|Agent|3A| Mozilla|2F|5|2E|0"; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/dcdfb531f77ad9b5637d4d0d56e21e71/detection; classtype:trojan-activity; sid:21145; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot.PKJ runtime traffic detected"; flow:to_server,established; content:"/player.exe"; nocase; http_uri; content:"pro-dancing.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/b36255503feb4cc0cc4ed7dc7c98a015/detection; classtype:trojan-activity; sid:21144; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot.PKJ runtime traffic detected"; flow:to_server,established; content:"/dance.php"; nocase; http_uri; content:"pro-dancing.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/b36255503feb4cc0cc4ed7dc7c98a015/detection; classtype:trojan-activity; sid:21143; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot.PKJ runtime traffic detected"; flow:to_server,established; content:"/select.bin"; nocase; http_uri; content:"pro-dancing.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/b36255503feb4cc0cc4ed7dc7c98a015/detection; classtype:trojan-activity; sid:21142; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dromedan.A runtime traffic detected"; flow:to_server,established; content:"stat3.php"; nocase; http_uri; content:"data|3D|nnniqk"; depth:11; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/ce73520ff9bf99d93981478da6f923f9/detection; classtype:trojan-activity; sid:21128; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Setfic.A runtime traffic detected"; flow:to_server,established; content:"/ws/stat.php"; nocase; http_uri; content:"id="; nocase; http_client_body; content:"sport="; nocase; http_client_body; content:"hport="; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/3a7a25291cfb53a0a8fa62c2918858df/detection; classtype:trojan-activity; sid:21127; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Koutodoor.C runtime traffic detected"; flow:to_server,established; content:"stat.php"; nocase; http_uri; content:"ms1vtlnu"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/fafeb3a8bea204f70109ef16bd549355/detection; classtype:trojan-activity; sid:21126; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alureon.DG runtime traffic detected"; flow:to_server,established; content:"/allbots_private_stat/cmd.php"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/31bd0d7e42b3ba104cd86c94b2ed6e07/detection; classtype:trojan-activity; sid:21125; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Opachki.A runtime traffic detected"; flow:to_server,established; content:"Accept-Encoding: bbbbbbbbb"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/2ded7ee112cea2db509ba95dc09fded6/detection; classtype:trojan-activity; sid:21124; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Flymux.A runtime traffic detected"; flow:to_server,established; content:"|2F 2F|lin|2F 2F|lin.asp"; fast_pattern:only; content:"cpname"; nocase; http_client_body; content:"hardid"; nocase; http_client_body; content:"netid"; nocase; http_client_body; content:"user"; nocase; http_client_body; content:"ver"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f28d817da5cc7e8316792008b9033327/detection; classtype:trojan-activity; sid:21123; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Win.Trojan.Bandok.zp runtime traffic detected"; flow:to_server,established; content:"|CF 8F 80 9B 9A 9D CF C9|"; depth:8; content:"|20 26 26 26|"; within:512; distance:64; reference:url,www.virustotal.com/#/file/236ef51185dd3c653f6b2673cab763c8/detection; classtype:trojan-activity; sid:21122; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"MALWARE-CNC Bindow.Worm runtime traffic detected"; flow:to_server,established; content:"|48 69 64 64 65 6E 00 00 48 69 64 65 46 69 6C 65 45 78 74 00 53 68 6F 77 53 75 70 65 72 48 69 64 64 65 6E 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; reference:url,www.virustotal.com/#/file/4d0d380279884dd0334b4d967e8b0566/detection; classtype:trojan-activity; sid:21087; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8536 (msg:"MALWARE-CNC Win.Trojan.AutoIt.pm runtime traffic detected"; flow:to_server,established; content:"GET|20 2F|"; depth:5; nocase; content:"User|2D|Agent|3A| AutoIt"; distance:0; nocase; content:"Host|3A| cccp|2E|fam|2E|cx"; distance:0; nocase; reference:url,www.virustotal.com/#/file/c531ce5275bd3e8c8237f50415f7ca5a/detection; classtype:trojan-activity; sid:21058; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Utka.A variant outbound connection"; flow:to_server,established; content:"/pages/yiun607.txt"; fast_pattern:only; http_uri; content:!"Referer"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/af04670ab1ff61b866aac4c32767890af9267b870a974bec45ea7e3e3af9496a/analysis/; classtype:trojan-activity; sid:21055; rev:7;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Sykipot C&C"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 C4 67 9A 04 97 41 EF 47|"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html; classtype:trojan-activity; sid:21047; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Usinec connect to server"; flow:to_server,established; content:"q.php"; nocase; http_uri; content:"c=e"; distance:0; http_uri; content:"t=VGFza0lEPT"; distance:0; http_uri; content:"s="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/c6427601e12a1c60c046e296c2b40fb60707a0d5b0217fdbe58f5273392f6a49/analysis/; classtype:trojan-activity; sid:21028; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Yang Pack yg.htm landing page"; flow:to_client,established; flowbits:isset,yg.download; file_data; content:"booom1()"; content:"booom2()"; distance:0; content:"booom3()"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0806; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-3544; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:21006; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yang Pack yg.htm download request"; flow:to_server,established; content:"yg.htm"; fast_pattern:only; http_uri; flowbits:set,yg.download; flowbits:noalert; metadata:service http; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:21005; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Cute Pack cute-ie.html landing page"; flow:to_client,established; file_data; content:"CutePower"; content:"CuteMoney"; distance:0; content:"CuteShine"; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0806; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:21004; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cute Pack cute-ie.html request"; flow:to_server,established; content:"CUTE-IE.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2010-0806; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:21003; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spyeye-207 variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/rec.php"; nocase; http_uri; content:"data="; http_client_body; pcre:"/rec\.php$/Usmi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7595cde4ead4c3ad0015a2797fd5f9e6217bad2bf6e2d78576c924978c83b0cc/analysis/; classtype:trojan-activity; sid:20927; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Skopvel.A runtime traffic detected"; flow:to_server,established; content:".php?logdata=Infected"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/6da34a083feef6f9553e492e10537ca5/detection; classtype:trojan-activity; sid:20892; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.adbp runtime traffic detected"; flow:to_server,established; content:"/images/index.php?repeat="; nocase; http_uri; content:"&nocache="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/56d77de9dbded23eb4adf870355e55d8/detection; classtype:trojan-activity; sid:20891; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.adbp runtime traffic detected"; flow:to_server,established; content:"/images/index2.php?repeat="; nocase; http_uri; content:"&nocache="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/56d77de9dbded23eb4adf870355e55d8/detection; classtype:trojan-activity; sid:20890; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RunTime Worm.Win32.Warezov.gs variant outbound connection"; flow:to_server,established; content:"cycle_report"; fast_pattern:only; http_uri; pcre:"/cycle_report[^\x3F]+\x3F((type|system|id|status|n|extra)=[^\x26]+\x26){5}/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/84b8a99a647d21a4afd3b02f4c6ffcbf/detection; classtype:trojan-activity; sid:20877; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.smxy runtime traffic detected"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/&|3B|^UYNCJ_:RNWV"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/a3bfde10233cb6c80751db7a12eb1521/detection; classtype:trojan-activity; sid:20844; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smokebot.A runtime traffic detected"; flow:to_server,established; content:"|3F|cmd|3D|gettask"; nocase; http_uri; content:"|26|login|3D|"; distance:0; nocase; http_uri; content:"|26|bits|3D|"; distance:0; nocase; http_uri; pcre:"/\x3Fcmd\x3Dgettask\x26login\x3D\w+.*?bits\x3D/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/7caaae8c46709c92dbb13145100d6ebf/detection; classtype:trojan-activity; sid:20838; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Mecklow.C runtime traffic detected"; flow:to_server,established; content:"|2F|aws"; depth:4; offset:4; nocase; content:"|2E|jsp|3F|"; within:9; distance:1; nocase; pcre:"/\x2Faws\d{1,5}\.jsp\x3F/i"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4b873858b58be4b47013545420f27759/detection; classtype:trojan-activity; sid:20837; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"MALWARE-CNC Win.Trojan.Zusy.A runtime traffic detected"; flow:to_server,established; content:"insert into clientes1 |28|Descricao|29|"; depth:33; offset:5; nocase; reference:url,www.virustotal.com/#/file/0e8c3c08df2649d51afc4fc9a3e9534a/detection; classtype:trojan-activity; sid:20836; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra.amdu variant outbound connection"; flow:to_server,established; content:"insertsql.php?"; fast_pattern:only; http_uri; content:"&parametros"; nocase; http_client_body; content:"RESPOSTA"; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/0d878d01e853a6c3a19b7232fdf0eb3dfd49b24c42b1f8f7226f0f2e7a3d8b51/analysis/; classtype:trojan-activity; sid:20830; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spyeye-206 variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:!"vcs="; http_client_body; content:"/gate.php"; fast_pattern:only; http_uri; content:"data="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,spyeyetracker.abuse.ch; classtype:trojan-activity; sid:20763; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacOS.Flashback.A variant outbound connection"; flow:to_server,established; content:"/counter/"; nocase; http_uri; content:"User|2D|Agent|3A| "; nocase; http_header; content:"install|20 28|unknown version|29|"; within:64; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8061839dfd1167b115865120728c806791f40ee422760866f303607dbd8a9dda/analysis/; reference:url,www.virustotal.com/en/file/baa14d6bfbff020007c330aa7872e89337fd0036ebfdfa4b4f1d61565c2b0f96/analysis/; classtype:trojan-activity; sid:20762; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gbot.oce variant outbound connection"; flow:to_server,established; content:"index.html?tq="; http_uri; content:"User-Agent|3A 20|mozilla/2.0|0D 0A|"; fast_pattern; http_header; content:"Content-Length|3A 20|0|0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/40324644d689f5cef21e9035d6b482079a94e540e18a93352acc32d48e9ba64e/analysis/; classtype:trojan-activity; sid:20759; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|hello|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e75c7e39e9e740fd1579d73d457db319f277345022c0ab46c77d480a6f93fd8/analysis/; classtype:trojan-activity; sid:20756; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Krap variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|id="; nocase; http_header; content:"tick="; distance:0; nocase; http_header; content:"ver="; distance:0; nocase; http_header; content:"smtp="; distance:0; nocase; http_header; content:"task="; distance:0; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/18bf1732e9f22502b1b4b1eeb7ebde8249fb7551963a9e1e642efd1add5fde15/analysis/; classtype:trojan-activity; sid:20755; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Virut-3 variant outbound connection"; flow:to_server,established; content:"default.php?qry="; http_uri; content:"tgt="; distance:0; http_uri; content:"searchKey="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/67a4a0ad409127cee7d4b384b500b6e88ca6b8ec95c8c1132adb8834604f4ad2/analysis/; classtype:trojan-activity; sid:20754; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom.CK connect to cnc server"; flow:to_server,established; content:"/ib2/"; nocase; http_uri; content:"Referer|3A| res:"; nocase; http_header; content:"|5C|mahmud.exe/main"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/541662fe54e7607fcccba98051ebed36/detection; classtype:trojan-activity; sid:20697; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom.CK connect to cnc server"; flow:to_server,established; content:"/check?a=2"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B|)"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/541662fe54e7607fcccba98051ebed36/detection; classtype:trojan-activity; sid:20696; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.GZW connect to cnc server"; flow:to_server,established; content:"POST"; http_method; content:"/contador.php"; nocase; http_uri; content:"computador"; nocase; http_client_body; content:"UsuarioWindows"; distance:0; nocase; content:"shd_fisico"; distance:0; nocase; content:"windir"; distance:0; nocase; metadata:service http; reference:url,www.virustotal.com/#/file/1A8ED96D2D8EE5AA85D777CB95E45B63/detection; classtype:trojan-activity; sid:20695; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.SSonce.A variant outbound connection"; flow:to_server,established; content:"|01|"; byte_test:1, >, 21,1; content:"|00 00 00 01|"; within:4; distance:1; content:"|7C|Windows"; within:96; fast_pattern; nocase; content:"|7C|"; within:16; reference:url,www.virustotal.com/#/file/93d8b4cf28f0c269daa1d6c868683d20/detection; classtype:trojan-activity; sid:20694; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Blackcontrol.A variant outbound connection"; flow:to_server,established; content:"|30 0C|"; pcre:"/^\x30\x0C[0-9]{2,4}\x0C\x0C/"; content:"CD-KEY|0B|"; depth:512; reference:url,www.virustotal.com/#/file/331fbabe1465c5db540ee264da2ffcb1/detection; classtype:trojan-activity; sid:20693; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Spy.Win32.Zbot.Jeib variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|m2|2F|viewtopic|2E|php"; fast_pattern; nocase; http_uri; content:"Host|3A| wapdodoit|2E|ru"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/507f74fc84bf3db508e09f9d0f0f6869/detection; classtype:trojan-activity; sid:20689; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Spy.Win32.Zbot.Jeib variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2F|mnx|2F|basefile|2E|cfg"; fast_pattern; nocase; http_uri; content:"Host|3A| wapdodoit|2E|ru"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/507f74fc84bf3db508e09f9d0f0f6869/detection; classtype:trojan-activity; sid:20688; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"MALWARE-CNC Trojan-Downloader.Win32.Genome.akhg variant outbound connection"; flow:to_server,established; content:"GET |2F|erku|2E|txt|3F|t|3D|"; depth:72; nocase; reference:url,www.virustotal.com/#/file/c5023ffbda4ef47e904780fcadfda6e4/detection; classtype:trojan-activity; sid:20687; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Virut.BM connect to client"; flow:to_client,established; content:"file0129|2E|iwillhavesexygirls|2E|com|3A|88|2F|erdown|2E|txt"; depth:85; offset:20; nocase; reference:url,www.virustotal.com/#/file/885fad18081918552beb7d1ace2bc20c/detection; classtype:trojan-activity; sid:20686; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Heloag.A variant outbound connection"; flow:to_server,established; content:"|2F|reques0|2E|asp|3F|kind|3D|071|26|mac|3D|"; nocase; http_uri; content:"|26|key|3D|"; within:50; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/6e9d91e8238f12cabd32d1724fcea085/detection; classtype:trojan-activity; sid:20685; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cleanvaccine variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A| cleanvaccinesetup|5F|gene"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a6bdfb9e80985be478b95b1540ccafbc/detection; classtype:trojan-activity; sid:20684; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cleanvaccine variant outbound connection"; flow:to_server,established; content:"|2F|etc|2F|yak|5F|app|2E|htm"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/a6bdfb9e80985be478b95b1540ccafbc/detection; classtype:trojan-activity; sid:20683; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Agent.NMS variant outbound connection"; flow:to_server,established; content:"|2F|taskapp|2F|log2|2E|php"; nocase; http_uri; content:"User|2D|Agent|3A| taskapp"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/c513b2b8a9547a6870f120005359fdee/detection; classtype:trojan-activity; sid:20682; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Agent.NMS variant outbound connection"; flow:to_server,established; content:"|2F|taskapp|2F|taskapp|2E|ini"; nocase; http_uri; content:"Host|3A| o|2D|k|2D|g|2D|o|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/c513b2b8a9547a6870f120005359fdee/detection; classtype:trojan-activity; sid:20681; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Syrutrk variant outbound connection"; flow:to_server,established; content:"GET |3F|ddos|3D|x"; nocase; byte_test:1,>,47,0,relative; byte_test:1,<,58,0,relative; metadata:service http; reference:url,www.virustotal.com/#/file/848d6ccd529e55df3f794d616bbbe3e4/detection; classtype:trojan-activity; sid:20679; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Genome.aior variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A| WebUpdate"; fast_pattern:only; http_header; content:"|2F|nineup|2F|1000|2F|nineup|2E|svc"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/40cb3280404e904d07eb3b43c7bdd8fd/detection; classtype:trojan-activity; sid:20678; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.EggDrop.acn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|stat1|2E|php"; fast_pattern; nocase; http_uri; content:"content|2D|type|3A| text|2F|html"; nocase; http_header; content:"content|2D|type|3A| image|2F|gif"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/c8586c673bf0ad44b46e0b76aab0fbff/detection; classtype:trojan-activity; sid:20677; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.EggDrop.acn variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2F|stat2|2E|php"; fast_pattern; nocase; http_uri; content:"content|2D|type|3A| text|2F|html"; nocase; http_header; content:"content|2D|type|3A| image|2F|gif"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/c8586c673bf0ad44b46e0b76aab0fbff/detection; classtype:trojan-activity; sid:20676; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Simbda variant outbound connection"; flow:to_server,established; content:"/chrome/report.html?"; nocase; http_uri; pcre:"/report\.html\?\w{3,8}\x3d/Usmi"; metadata:service http; reference:url,www.virustotal.com/en/file/0181b390b5b1110de24a91428e488b26f826581e5f59024fa38ce05449ef5f20/analysis/; classtype:trojan-activity; sid:20661; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malware Win.Trojan.Higest.N variant outbound connection"; flow:to_server,established; content:"/machineid.php?"; nocase; http_uri; content:"checkstr"; distance:0; nocase; http_uri; content:"cpumac"; distance:0; nocase; http_uri; content:"pubuser"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/1354188d4793d02a2304d7e5f0903d3f/detection; classtype:trojan-activity; sid:20639; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Winnti.A contact to cnc server"; flow:to_server,established; content:"|CE FA AD DE 01 00 00 00|"; depth:8; metadata:service http; reference:url,www.virustotal.com/#/file/efdda5d0a14810ff86e60a70c5baa6b0/detection; classtype:trojan-activity; sid:20630; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Shylock.A C&C server response"; flow:to_client,established; file_data; content:"###ERROR_SRC###"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f1169a4413cfce88764f64279f26ee33/detection; classtype:trojan-activity; sid:20627; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shylock.A variant outbound connection"; flow:to_server,established; content:"&bid="; fast_pattern:only; http_client_body; pcre:"/^id=\d+&bid=\d{2}[A-Za-z]{3}&query=\w+&data/Pi"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f1169a4413cfce88764f64279f26ee33/detection; classtype:trojan-activity; sid:20626; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Domsingx.A variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A 20|Mozilla|2F|4|2E|0|20 28|compatible|3B 20|MSIE|20|6|2E|0|3B 20|Win32|29|"; pcre:"/(\x2F[^\x2F]{8}){10}/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/078e4588daf71704d2553b0330b09bd8/detection; classtype:trojan-activity; sid:20606; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.R2d2.A contact to cnc server"; flow:to_server,established; content:"|D2 81 8C 82 25 BA 57 70 23 F8 FF 75 7E 49 2E 41|"; depth:512; reference:url,www.virustotal.com/#/file/309ede406988486bf81e603c514b4b82/detection; classtype:trojan-activity; sid:20605; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus.isqy variant outbound connection"; flow:to_server,established; content:"gate|2E|php|3F|uniqueid|3D|"; nocase; http_uri; content:"|26|totalram|3D|"; distance:0; nocase; http_uri; content:"|26|videocard|3D|"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/5862930b2a83ca26335750c53c14b1be/detection; classtype:trojan-activity; sid:20604; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler.A variant outbound connection"; flow:to_server,established; content:"cmd|3D|getsocks"; nocase; http_uri; content:"User-Agent|3A| Mozilla|2F|4|2E|0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a10dda2a7605a11cee1e5c2fff6e520d/detection; classtype:trojan-activity; sid:20599; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler.A variant outbound connection"; flow:to_server,established; content:"cmd|3D|getproxy"; nocase; http_uri; content:"User-Agent|3A| Mozilla|2F|4|2E|0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a10dda2a7605a11cee1e5c2fff6e520d/detection; classtype:trojan-activity; sid:20598; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler.A variant outbound connection"; flow:to_server,established; content:"cmd|3D|getload"; nocase; http_uri; content:"User-Agent|3A| Mozilla|2F|4|2E|0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a10dda2a7605a11cee1e5c2fff6e520d/detection; classtype:trojan-activity; sid:20597; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smoaler.A variant outbound connection"; flow:to_server,established; content:"cmd|3D|getgrab"; nocase; http_uri; content:"User-Agent|3A| Mozilla|2F|4|2E|0|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a10dda2a7605a11cee1e5c2fff6e520d/detection; classtype:trojan-activity; sid:20596; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ixeshe.F variant outbound connection"; flow:to_server,established; content:"|2F|Attachments|3F|YY|3D|"; fast_pattern:only; http_uri; pcre:"/Attachments\x3FYY\x3D[A-Z]{4}/Ui"; metadata:service http; reference:url,www.virustotal.com/#/file/dee415a322566d6941892d72a731a3b4/detection; classtype:trojan-activity; sid:20595; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Larchik.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"visitas.php?idusu="; fast_pattern:only; http_uri; content:"idusu|3D|crow2011"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/3f895dccee59916dd1baa3d6fc0b3f56/detection; classtype:trojan-activity; sid:20587; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Small.kb variant outbound connection"; flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|U|00|n|00|k|00|n|00|o|00|w|00|n|00|"; within:22; distance:192; fast_pattern; nocase; reference:url,www.virustotal.com/#/file/6350025283739fe25e9e933001233ff7/detection; classtype:trojan-activity; sid:20571; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Small.kb variant outbound connection"; flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|V|00|i|00|s|00|t|00|a|00|"; within:18; distance:192; fast_pattern; nocase; reference:url,www.virustotal.com/#/file/6350025283739fe25e9e933001233ff7/detection; classtype:trojan-activity; sid:20570; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Small.kb variant outbound connection"; flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|W|00|i|00|n|00|"; within:14; distance:186; fast_pattern; nocase; reference:url,www.virustotal.com/#/file/6350025283739fe25e9e933001233ff7/detection; classtype:trojan-activity; sid:20569; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PWSBanker.SHE variant outbound connection"; flow:to_server,established; content:"++%28Vista+"; nocase; http_client_body; content:"%29++"; http_client_body; pcre:"/\x2B\x2B\x2528Vista\x2B.{0,9}\x2529\x2B\x2B/iP"; metadata:service http; reference:url,www.virustotal.com/#/file/cfd8089a7e2e48ad54ff29631751ceaa/detection; classtype:trojan-activity; sid:20562; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PWSBanker.SHE variant outbound connection"; flow:to_server,established; content:"++%28Windows+"; nocase; http_client_body; content:"%29++"; http_client_body; pcre:"/\x2B\x2B\x2528Windows\x2B.{0,9}\x2529\x2B\x2B/iP"; metadata:service http; reference:url,www.virustotal.com/#/file/cfd8089a7e2e48ad54ff29631751ceaa/detection; classtype:trojan-activity; sid:20561; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 22292 (msg:"MALWARE-CNC Sirefef initial C&C connection variant outbound connection"; flow:to_server,established; content:"|E5 AA C0 31 A9 BF DC CB 31 5B|"; depth:10; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/097494387732a6d04a1ecced4b99b7ea8c9e4b3a411f1ec40560c6ba1be9dda8/analysis/; classtype:trojan-activity; sid:20527; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Duqu variant outbound connection"; flow:to_server,established; content:"Mozilla/5.0 |28|Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9|29|"; fast_pattern:only; content:"Content|2D|Disposition|3A|"; nocase; http_header; content:"DSC00001.jpg"; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/3d83b077d32c422d6c7016b5083b9fc2/detection; classtype:trojan-activity; sid:20525; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Busifom.A variant outbound connection"; flow:to_server,established; content:"index.php?pc="; http_uri; content:"usu="; distance:0; http_uri; content:"inf="; distance:0; http_uri; content:"so="; distance:0; http_uri; content:"cha="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/749c44fa40da35de081b8fbc00eda885c8bcae3d3ce17b0fe6840d4847103a19/analysis/; classtype:trojan-activity; sid:20449; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meciv.A variant outbound connection"; flow:to_server,established; content:"/Owpq4.cgi"; http_uri; content:")0*|7C|tqHO+HO+HO+HOwktq"; fast_pattern:only; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/34add8e2b6933f0f257f0d581eb9ccd17b8bdb50dc8ef5776421105eee20ac01/analysis/; classtype:trojan-activity; sid:20448; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.JAAK variant outbound connection"; flow:to_server,established; content:"/windowsupdatev7/search?hl="; nocase; http_uri; content:"&q="; distance:0; nocase; http_uri; content:"&meta="; distance:0; nocase; http_uri; content:"&id="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/5ff635c90ed17ac58796ae278ed00db652fafc65a4720baa572333dbc9b876ed/analysis/; classtype:trojan-activity; sid:20447; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TrojanSpy Win.Trojan.Zbot.Svr runtime traffic detected"; flow:to_server,established; content:"imgpic|2F|x18d2|2F|d8x16|2F|x98x10|2E|bin"; nocase; http_uri; content:"updatekernel|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/3cfc97f88e7b24d3ceecd4ba7054e138/detection; classtype:trojan-activity; sid:20435; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hiloti variant outbound connection"; flow:to_server,established; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; within:3; distance:8; nocase; http_uri; isdataat:250,relative; pcre:"/\/get\d*\.php\?c=[A-Z]{8}\&d=[0-9A-F]{250,500}$/U"; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/09cae488fc5b4ceb42fc037359d3413528526b094c95006448734fd89a4d023b/analysis/; reference:url,virustotal.com/en/file/79da768eb15b5d774ba56770eb722d74adfd56cc4ddb7d05fc7b053e37d73514/analysis/; classtype:trojan-activity; sid:20432; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zewit.A variant outbound connection"; flow:to_server,established; content:"/gateway/index"; nocase; http_uri; content:"botver|3D|"; http_client_body; content:"build|3D|KewlHotRod"; fast_pattern:only; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/5d1d445dd94361aee4149c40b721f390ecb96b8deb215c4e8962026fbd62546c/analysis/; classtype:trojan-activity; sid:20428; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FresctSpy.A variant outbound connection"; flow:to_server,established; content:"name|3D 22|uploaddir|22 0D 0A 0D 0A|deluser|2F|"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/61c2dbab2a90512689ac11e724bd8d2923a30780bfb9cac884ba4eb390e8fd40/analysis/; classtype:trojan-activity; sid:20292; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"MALWARE-CNC Win.Trojan.Mybios.A variant outbound connection"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/calc.exe "; within:64; fast_pattern; nocase; reference:url,www.virustotal.com/en/file/8802ad7f2d267b754afef8fd81fe8e5f0ecc13e7f69b82e89e980922d94291ba/analysis/; classtype:trojan-activity; sid:20291; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Doschald.A inbound connection"; flow:to_client,established; file_data; content:"[DDOS_ScriptFlood"; nocase; content:"Flood="; within:64; distance:5; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/3fac5f056e83a970f694e1170d04864250f0b690d8cd473d11a976725f9cd623/analysis/; classtype:trojan-activity; sid:20290; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Doschald.A variant outbound connection"; flow:to_server,established; content:"/kernel/usa.txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/3fac5f056e83a970f694e1170d04864250f0b690d8cd473d11a976725f9cd623/analysis/; classtype:trojan-activity; sid:20289; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"query="; nocase; http_client_body; content:"data="; distance:0; nocase; http_client_body; content:"Computer Name="; distance:0; nocase; http_client_body; content:"Admin="; distance:0; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a33c348c55ba2bddce89a7c51cac117a/detection; classtype:trojan-activity; sid:20281; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:"auth="; nocase; http_uri; content:"version="; distance:0; nocase; http_uri; content:"port25="; distance:0; nocase; http_uri; content:"architecture="; distance:0; nocase; http_uri; content:"rights="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a33c348c55ba2bddce89a7c51cac117a/detection; classtype:trojan-activity; sid:20280; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"MALWARE-CNC DroidKungFu check-in"; flow:to_server,established; content:"POST /search/sayhi.php"; depth:22; nocase; reference:url,www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html; reference:url,www.virustotal.com/en/file/93bc7cae3dc7ecafb01a9d136a7d24e280673f7dde1b30f545e1fe2646e8a66c/analysis/; classtype:trojan-activity; sid:20252; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AdobeReader.Uz runtime traffic detected"; flow:to_server,established; content:"User|2D|Agent|3A| AdobeUpdate"; fast_pattern:only; http_header; content:"|2F|documents|2F|dprk|2F|ab.exe"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/61baabd6fc12e01ff73ceacc07c84f9a/detection; classtype:trojan-activity; sid:20235; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 7878 (msg:"MALWARE-CNC Win.Trojan.Ceckno.cmz runtime traffic detected"; flow:to_server,established; content:"FYYLCS|3D|"; depth:7; nocase; content:"|28|MB|29|"; distance:0; nocase; reference:url,www.virustotal.com/#/file/ec608dfdcffcf346edf5e54eed6a9147/detection; classtype:trojan-activity; sid:20234; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Virut variant outbound connection"; flow:to_server,established,only_stream; content:"t?c=eJw"; http_uri; content:"requestId="; distance:0; http_uri; pcre:"/t\x3fc\x3deJw\w{7}(EM|B(Q|M|U|B))/U"; detection_filter:track by_src, count 3, seconds 60; metadata:service http; reference:url,www.virustotal.com/en/file/3a2d1c2867da2ff9773ec7042e0b59f5bed9033ff311cab924e125d481220476/analysis/; classtype:trojan-activity; sid:20233; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cycbot variant outbound connection"; flow:to_server,established; content:"&tq=g"; fast_pattern:only; http_uri; pcre:"/\x2e(jpg|png|gif)\x3fs?v.*?&tq=g[A-Z0-9]{2}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/01fabe4ad1552f4d61b614a319c90b33a6b6b48c5da63965924b687e3f251ca8/analysis/; classtype:trojan-activity; sid:20232; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jinchodz variant outbound connection"; flow:to_server,established; content:".exe"; nocase; http_uri; content:"User-Agent|3A 20|Agent"; fast_pattern:only; http_header; pcre:"/^\/\d\x2eexe/Ui"; pcre:"/User-Agent\x3a\x20Agent\d{5,9}/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59c54a224ccff90e4e2f89a5ca5d60c974d00e7a5d2b738abbeba6542eecfc0d/analysis/; classtype:trojan-activity; sid:20229; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hupigon variant outbound connection"; flow:to_server,established; content:"/ip.txt"; fast_pattern; nocase; http_uri; content:"User-Agent|3A 20|"; http_header; content:!"Referer"; pcre:"/^User-Agent\x3a\x20[A-Z]{9}\x0d\x0a/Hm"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d72cf20f79da69781b0a7decdd9dfb1ffa2d62f75576861327eb0efd5da228d9/analysis/; classtype:trojan-activity; sid:20228; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Payazol.B variant outbound connection"; flow:to_server,established; content:"/user.asp?user1=user"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/7bdb143d20a87001778c28e7d25e131a/detection; classtype:trojan-activity; sid:20222; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header; content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2/analysis/; classtype:trojan-activity; sid:20221; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ToriaSpy.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/acesso.php"; http_uri; content:"windows|3D 24 5F|"; fast_pattern:only; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/e0d4bfae97ba1975f0c07ae6ae0dff576ecccc0bca87ef54ba852ceced700b29/analysis/; classtype:trojan-activity; sid:20219; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramagedos.A variant outbound connection"; flow:to_server,established; content:"Content-Length|3A| 17|0D|"; nocase; http_header; content:"GetList=UserAgent"; fast_pattern:only; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8/analysis/; classtype:trojan-activity; sid:20218; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramagedos.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/038/gs.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8/analysis/; classtype:trojan-activity; sid:20217; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swisyn variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gs.php"; nocase; http_uri; content:"Synapse"; nocase; http_header; content:"Content-Length|3A| 12"; distance:0; nocase; http_header; content:"id="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/07d2e3f1eaaeffefa493a9e2b81c8a92bc9ac29409920a0b9f02bf6a07f1dfe6/analysis/; reference:url,www.virustotal.com/en/file/5ed1654c72a0d6f274f61e3b3c61b247463533c7136f4e9d8dd63d408ca7f5b0/analysis/; reference:url,www.virustotal.com/en/file/eff9b75161853b46ad9f492480b3d39cbdbd23b02c16d50b291a3797b9bb4db8/analysis/; classtype:trojan-activity; sid:20213; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win32/Poison beaconing request"; flow:to_server,established; content:"|FF FF FF FF 01 02 FF FF FF FF|"; depth:10; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoison.BC; reference:url,www.virustotal.com/en/file/681c76134a6cfecee07fb2b377d3e748f74ed86d00a8ae24596e63fd8019f637/analysis/; classtype:trojan-activity; sid:20205; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Taidoor variant outbound connection"; flow:to_server,established; content:".php?id=0"; nocase; content:"111D30"; fast_pattern; nocase; http_uri; pcre:"/^\/[a-z]{5}\.php\?id=0\d{5}111D30[a-zA-Z0-9]{6}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-0611; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; reference:url,www.virustotal.com/en/file/145d64f38564eafa4fb5da0722c0e7348168024d32ada5cfb37a49f5811cb6b8/analysis/; classtype:trojan-activity; sid:20204; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Apple OSX.Revir-1 variant outbound connection"; flow:to_server,established; content:"/cdmax"; nocase; http_uri; pcre:"/^\/cdmax$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1e52289977e72ef905e07cbec8a7fbb72706fd2450aadb90acaf5377c0be8ef/analysis/; classtype:trojan-activity; sid:20202; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Zombie.sm variant outbound connection"; flow:to_server,established; dsize:28; content:"JOIN |23|DL34k3rBn3t TxRx0192|0D 0A|"; nocase; reference:url,www.virustotal.com/en/file/887f61b6b5c50f27763aa32aafe86fb16de68e748deea895fbaf72942f04ef26/analysis/; classtype:trojan-activity; sid:20109; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.Pher variant outbound connection"; flow:to_server,established; content:"/xml_domit.php"; fast_pattern:only; http_uri; content:"prakeim="; nocase; http_client_body; content:"&tit="; distance:0; nocase; http_client_body; content:"&tex="; within:64; distance:8; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/422752bb93f8d50a88b192f7002e0cd44f35bb146202ab1cd0cbc3fe1b844da1/analysis/; classtype:trojan-activity; sid:20108; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Small.Cns variant outbound connection"; flow:to_server,established; content:".aspx?cmac="; nocase; http_uri; content:"|26|supuserid|3D|"; distance:0; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/9fc9573422c62b7ccaeddd65806b403bf15b2f6a850f601087153639d3400e22/analysis/; classtype:trojan-activity; sid:20107; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Xtrat.A variant outbound connection"; flow:to_server,established; content:"|2E|functions HTTP|2F|"; depth:32; offset:5; pcre:"/\x2f\d{1,10}\x2efunctions HTTP\x2f/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/efe63a9c91b8728dbb0b8633759cc2088204f6272d9f71ded958932bb5e15805/analysis/; classtype:trojan-activity; sid:20099; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.KeyLogger.wav variant outbound connection"; flow:to_server,established; content:"Subject|3A|Rpt|0A 0D|"; content:"SL|3A|"; within:3; distance:1; content:"SL|3A|"; distance:0; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/523f3426d0832a54fdf45cc7f1d8604cabf0812880dc6377b61dbfa903adccef/analysis/; classtype:trojan-activity; sid:20098; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent.dcir infected host at destination ip"; flow:to_client,established; flowbits:isset,backdoor.agent.dcir; file_data; content:"FindProxyForURL("; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/9449ab89aefe0c05b90a4c3bba42ca06db9d38d63ce346b3b2e39cdd606c7fcb/analysis/; classtype:trojan-activity; sid:20097; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.dcir variant outbound connection"; flow:to_server,established; content:"/logo.gif"; http_uri; content:"User-Agent|3A| FileDownloader|2F|"; fast_pattern:only; http_header; flowbits:set,backdoor.agent.dcir; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/en/file/9449ab89aefe0c05b90a4c3bba42ca06db9d38d63ce346b3b2e39cdd606c7fcb/analysis/; classtype:trojan-activity; sid:20096; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emudbot.A variant outbound connection"; flow:to_server,established; content:"/iLog.php?dl="; nocase; http_uri; content:"&log=Loader"; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/55745e85c97f1cab1ce61e3a80876611c2475f1219b3649cf71a8dfb88738977/analysis/; classtype:trojan-activity; sid:20088; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.FGU variant outbound connection"; flow:to_server,established; content:".php?tipo=./"; nocase; http_uri; content:"/&nome="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/62cc69ce5a3f11fbf58fbb45718c6b257d55bae3b2a939a996747e1e44e85f61/analysis/; classtype:trojan-activity; sid:20087; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload.ABY variant outbound connection"; flow:to_server,established; content:"name|3D 22|conteudo|22 0D 0A|"; nocase; http_client_body; content:"name|3D 22|myFile|22 0D 0A|"; distance:0; nocase; http_client_body; content:"|2E|log"; distance:1; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/bdcaba561cafb02caa1fe0d64132aa7d2af40872d4df8e0cacfa6b88cc36174a/analysis/; classtype:trojan-activity; sid:20086; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Veebuu.BX variant outbound connection"; flow:to_server,established; content:"Idle|2E 2E 2E 20 7C 20|"; depth:10; reference:url,www.virustotal.com/en/file/5f06fed00fa2d0c020ec9d73993b82a4f92f62c7df34198fce37c2625b4ac0e1/analysis/; classtype:trojan-activity; sid:20085; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fucobha.A variant outbound connection"; flow:to_server,established; content:"/upload.aspx?filepath=info&filename="; fast_pattern:only; http_uri; content:"User-Agent|3A| MyAgent|0D 0A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9e16a846e5bbdb5775dc0e2286ba03a9e09327f9244705d79674b613e6fd2b08/analysis/; classtype:trojan-activity; sid:20083; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Inject.raw variant outbound connection"; flow:to_server,established; content:"S_0001|A2 95 B3|ID"; depth:11; nocase; content:"|A2 95 B3|IDLE TIME|A2 95 B3|"; within:256; distance:25; reference:url,www.virustotal.com/en/file/7b4da2d0f51e45732deee277ecb1286f1c5d8a0d05588b33bd0ca2d75f77e42c/analysis/; classtype:trojan-activity; sid:20082; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Yakes.cbi variant outbound connection"; flow:to_server,established; content:"/gate.php?v="; nocase; http_uri; content:"|26|b|3D|"; distance:0; nocase; http_uri; content:"|26|r|3D|"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5deaa7b46f1820c7776339bf975b9b8ac5fa50ceb36967989c06b03a3e980e33/analysis/; classtype:trojan-activity; sid:20081; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7; offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b0/analysis/; reference:url,www.virustotal.com/en/file/705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe/analysis/; classtype:trojan-activity; sid:20080; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Russkill.C variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length|3A 20|17"; fast_pattern:only; http_header; content:"k|3D|"; depth:2; nocase; http_client_body; pcre:"/^k=\d{15}/smiP"; metadata:service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:trojan-activity; sid:20079; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Russkill.C variant outbound connection"; flow:to_server,established; content:"/driver32/update/m_"; fast_pattern:only; http_uri; content:"k|3D|"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440/analysis/; classtype:trojan-activity; sid:20078; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agobot.ast variant outbound connection"; flow:to_server,established; content:"/ots.php?seller="; fast_pattern:only; http_uri; content:"&hash={"; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/6792090383339d6bd4332aa16b0402f0e3fa00eb74fb5648c15134bc6368e57b/analysis/; classtype:trojan-activity; sid:20077; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agobot.ast variant outbound connection"; flow:to_server,established; content:".php?seller="; nocase; http_uri; content:"&hash={"; nocase; http_uri; content:"User-agent|3A| GoogleBot|0D|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6792090383339d6bd4332aa16b0402f0e3fa00eb74fb5648c15134bc6368e57b/analysis/; classtype:trojan-activity; sid:20076; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Ruskill.abl variant outbound connection"; flow:to_server,established; content:"JOIN |23|rndbot "; depth:32; nocase; reference:url,www.virustotal.com/en/file/2c8118c045f04b35b11a6e120a1b83cd89599369bbd64fe60ad173f300c846cf/analysis/; classtype:trojan-activity; sid:20075; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.IRCBot.iseee variant outbound connection"; flow:to_server,established; content:"|0D 0A|USER root 8 |2A|  |3A| "; depth:64; nocase; reference:url,www.virustotal.com/en/file/8316df3c7fc1c84815d28eb638c9aac08c76a3d07111edd13147125b7df3ff5b/analysis/; classtype:trojan-activity; sid:20074; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.alhq runtime traffic detected"; flow:to_server, established; content:"|2F|a|2F|asp|2F|downlist.php|3F|uncode|3D|"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A| Microsoft URL Control |2D|"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/9feb9b2c472cdebac21e1807d251b1b5/detection; classtype:trojan-activity; sid:20069; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jetilms.A runtime activity detected"; flow:to_server, established; content:"|2F 3F|ver|3D|"; nocase; http_uri; content:"|26|label|3D|"; nocase; http_uri; content:"|26|user|3D|"; nocase; http_uri; content:"|26|comp|3D|"; nocase; http_uri; content:"|26|guid|3D|"; nocase; http_uri; content:"|26|act|3D|get|5F|task"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f1a18eab4fa990cee757143f32a93f3e/detection; classtype:trojan-activity; sid:20068; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Zatvex.A runtime traffic detected"; flow:to_server,established; content:"/loPtfdn3dSasoicn/"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/76b31dd23a532c87d7633bf998a2b293/detection; classtype:trojan-activity; sid:20067; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Win32 SensLiceld.A runtime traffic detected"; flow:to_client,established; file_data; content:"[SERVER]connection to "; depth:22; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/53ba6845f57f8e9ef600ef166be3be14/detection; classtype:trojan-activity; sid:20066; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malware Win.Trojan.Clemag.A variant outbound connection"; flow:to_server,established; content:!"User-Agent|3A|"; nocase; http_header; content:"|2F|?id=0&"; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&c="; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/7d222127f0645c853e8dab3750a2532c/detection; classtype:trojan-activity; sid:20064; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BitCoin Miner IP query"; flow:to_server,established; content:"/search="; fast_pattern:only; http_uri; urilen:<50; content:!"Referer|3A| "; nocase; http_header; pcre:"/Host\x3A\s*\d{1,3}\./Hi"; metadata:impact_flag red, service http; reference:url,threatpost.com/en_us/blogs/miner-botnet-bitcoin-mining-goes-peer-peer-081911; reference:url,www.virustotal.com/en/file/0030c61b1cdae2f4be9c3e3e3c904a4037c9933f2a0ceea8a73a675e47e176d4/analysis/; classtype:trojan-activity; sid:20057; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adware Kraddare.AZ variant outbound connection"; flow:to_server,established; content:"app_install.php?ver="; http_uri; content:"mac="; distance:0; http_uri; content:"pid="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/d272bcd795fcf63f5486d28cbc25287b84e7c3a5d5960beac9b119a82da107cc/analysis/; classtype:trojan-activity; sid:20043; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinowal outbond connection"; flow:to_server,established; content:"POST"; http_method; content:"/search?fr=altavista&itag="; http_uri; content:"[System Process]"; fast_pattern:only; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/94fdee4ebd012b39c2d0a1a1563db985cea74eb85f38dceed7103c2bfb4ad77e/analysis/; classtype:trojan-activity; sid:20042; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KSpyPro.A variant outbound connection"; flow:to_server,established; content:"pcname|3D|"; nocase; http_client_body; content:"|26|note|3D|"; distance:0; nocase; http_client_body; content:"|26|country|3D|"; distance:0; nocase; http_client_body; content:"|26|user|3D|"; distance:0; nocase; http_client_body; content:"|26|log|3D|Message"; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/4f9523018440a018c8f27e569b3a61361f1454bbcd2ff2ff315ac4aa22aa4877/analysis/; classtype:trojan-activity; sid:20040; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.cve runtime traffic detected"; flow:to_server, established; content:"|0D 0A 2B 20 2B| SantNws"; depth:300; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/bf726394c2616770c0958d4b3b279fd4/detection; classtype:trojan-activity; sid:20038; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.cve runtime traffic detected"; flow:to_server, established; content:"/libraries/phpinputfilter/.svn/props/infosnt.php"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/bf726394c2616770c0958d4b3b279fd4/detection; classtype:trojan-activity; sid:20037; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Agent.ndau runtime traffic detected"; flow:to_server,established; content:"/contador/keepnew.php|3F 26|loader|3D|tadin"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/0CC652E775905BE1A0F1511AB18498E4/detection; classtype:trojan-activity; sid:20036; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.Win32 Coinbit.A runtime traffic detected"; flow:to_server,established; content:"|0D 0A 0D 0A|cos|0D 0A 0D 0A 2D 2D 3D 5F|MoreStuf|5F|"; offset:160; nocase; content:"name=|22|wallet.dat|22|"; distance:0; nocase; reference:url,www.virustotal.com/#/file/6cb3c1406fbd1dbe28a2c839a26c0803/detection; classtype:trojan-activity; sid:20035; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Windows Antivirus Pro variant outbound connection"; flow:to_server,established; content:"/action/action3.cgi"; http_uri; content:"core2623|2E|racingmoney|2D|0110|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/828835fb4b8ecc5064a0f6496ba160d37a32022dee7f82a0c8b275d312620b15/analysis/; classtype:trojan-activity; sid:20028; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Banker.abg.b variant outbound connection"; flow:to_server,established; content:"/tody.php"; http_uri; content:"www|2E|vempramim|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f56aa51076f040247f3d4bcbd4095ad6553310d42a78d41fa10848fddb305ff6/analysis/; classtype:trojan-activity; sid:20026; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dreamy.bc variant outbound connection"; flow:to_server,established; content:"/nnk1/knock.php"; http_uri; content:"win="; distance:0; http_uri; content:"id="; distance:0; http_uri; content:"lip="; distance:0; http_uri; content:"s5="; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/abee378ca002f1fcbfdbbbb9d10e908b681afbb47c0d64ae914e2474537ef03e/analysis/; classtype:trojan-activity; sid:20024; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Advanced Virus Remover variant outbound connection"; flow:to_server,established; content:"/buy/?code="; http_uri; content:"advanced-virus-remover2009|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/488f51e8fd511dbfe27182a998aed769d2a7bb06ad02076de50a73261fdc210f/analysis/; classtype:trojan-activity; sid:20023; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Padobot.z variant outbound connection"; flow:to_server,established; content:"/w.php"; nocase; http_uri; content:"ifc="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/45db57d702155905c5f738a28f91c396e8dc8284cc2aeda71d03a2f5a960ea8e/analysis/; classtype:trojan-activity; sid:20022; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MalwareDoctor variant outbound connection"; flow:to_server,established; content:"/buynow.php"; fast_pattern; nocase; http_uri; content:"userId="; distance:0; nocase; http_uri; content:!"Referer"; nocase; http_header; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/bfc294ae9aa0da8fd65544bdea740fc48b94b1608c7f9d99e6092153dd2029cd/analysis/; classtype:trojan-activity; sid:20020; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Autorun variant outbound connection"; flow:to_server,established; content:"/f/7.bmp"; http_uri; content:"df|2D|123|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2b5064dcf918207d31537e41c1b43b6cac2b62f9d343005c1180dde8e21790d9/analysis/; classtype:trojan-activity; sid:20018; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Koobface.dq variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gen.php"; http_uri; content:"a="; nocase; http_client_body; content:"v="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/41b8334bd484e26bcbf9f6ccf2062c17002d2d8a59b637d7c6ef4bf12a794289/analysis/; classtype:trojan-activity; sid:20017; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/chat/sys.php?"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/da5dbc5676fbed9119beaddf5d05b89d8d02379c96701a672cacf36381016153/analysis/; classtype:trojan-activity; sid:20016; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/chat/cfg.ini"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/da5dbc5676fbed9119beaddf5d05b89d8d02379c96701a672cacf36381016153/analysis/; classtype:trojan-activity; sid:20015; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 23974 (msg:"MALWARE-CNC Kaju variant outbound connection - confirmation"; flow:to_server,established; content:"Recebendo "; depth:10; nocase; reference:url,www.virustotal.com/en/file/b0aefb22358c55dac66e263a76339d60efa2e4008b28378a3eb932c80dd8af36/analysis/; classtype:trojan-activity; sid:20014; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Briewots.A runtime traffic detected"; flow:to_server,established; content:"/geo/countrybyip.php"; nocase; http_uri; content:"User-Agent|3A| User Agent"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f8433bdde30354db80ebce58b2c866ea/detection; classtype:trojan-activity; sid:20011; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win32/Babmote.A runtime TCP traffic detected"; flow:to_server,established; content:"EMSG"; depth:4; content:"|3C|Msg"; within:4; distance:16; reference:url,www.virustotal.com/#/file/0712178d245f4e5a5d0cf6318bf39144/detection; classtype:trojan-activity; sid:20010; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Malware PDFMarca.A runtime traffic detected"; flow:to_server,established; dsize:22; content:"|10 00|"; depth:2; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:4; metadata:impact_flag red; reference:url,www.virustotal.com/#/file/2cd31ca700e2528cc356e50d5c24150c/detection; classtype:trojan-activity; sid:20008; rev:7;)
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Worm Plurp.A runtime traffic detected"; flow:to_server,established; content:"file=PurpleMood.scr"; nocase; metadata:service smtp; reference:url,www.virustotal.com/#/file/4a79bee4c4dfce2bf64b1415c78c7252/detection; classtype:trojan-activity; sid:20006; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32 Lecna.cr runtime traffic detected"; flow:to_server,established; content:"/yzmls/bak.htm"; nocase; http_uri; content:"www.iantoan.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/8c7aaffc4d340de4780d747398c7d5fb/detection; classtype:trojan-activity; sid:20005; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy Pilonoc install-time traffic detected"; flow:to_server,established; content:"/1/cfg.bin"; nocase; http_uri; content:"pilonoc.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/703ea78d658fe72c70465e48b0d31d21/detection; classtype:trojan-activity; sid:20004; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy Pilonoc runtime traffic detected"; flow:to_server,established; content:"/1/gate.php"; nocase; http_uri; content:"pilonoc.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/703ea78d658fe72c70465e48b0d31d21/detection; classtype:trojan-activity; sid:20003; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"MALWARE-CNC Allaple.e variant outbound connection"; flow:to_server,established; flowbits:isset,backdoor.Allaple; content:"MEOW"; pcre:"/[\xb0\xc0]\x05\x00\x00[\xb0\xc0]\x05\x00\x00\x4d\x45\x4f\x57\x04\x00\x00\x00\xa2\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46\x38\x03\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46\x00\x00\x00\x00[\x80\x90]\x05\x00\x00[\x78\x88]\x05\x00\x00\x00\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc\xc8\x00\x00\x00\x4d\x45\x4f\x57/smi"; reference:url,www.virustotal.com/en/file/4b2eb0da416be0dca7c8f87edcc6f0363cd9651baf3d8b918c15ca8c06014716/analysis/; classtype:trojan-activity; sid:20002; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"MALWARE-CNC Allaple.e variant outbound connection"; flow:to_server,established; content:"|05 00 0B|"; depth:3; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; within:16; distance:29; flowbits:set,backdoor.Allaple; flowbits:noalert; reference:url,www.virustotal.com/en/file/4b2eb0da416be0dca7c8f87edcc6f0363cd9651baf3d8b918c15ca8c06014716/analysis/; classtype:trojan-activity; sid:20001; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PSW.Win32.QQPass.gam variant outbound connection"; flow:to_server,established; content:"/install.asp?"; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; content:"tgid="; distance:0; http_uri; content:"address="; distance:0; http_uri; content:"regk="; distance:0; http_uri; content:"flag="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1f72870ed1025e226a7dc20abd3e1ae2a5ba3c7dc621f6964c5a553e4b436e04/analysis/; classtype:trojan-activity; sid:19997; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm Brontok.C variant outbound connection"; flow:to_server,established; content:"/sbllma5/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/9e543e5a3b553d6aab395fe48c2a18494b0777bbc7b5b7c28f6e86a85fbf06a6/analysis/; classtype:trojan-activity; sid:19996; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Waledac variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:".png"; http_uri; content:"|0A|a="; nocase; content:"&b=AAAAAA"; distance:0; fast_pattern; nocase; pcre:"/\x2F[a-z]+\x2epng/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6075bdd818db6d78a0ecd889383e09c61900c1735a00c5948dde4e27d17a4c65/analysis/; classtype:trojan-activity; sid:19995; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"MALWARE-CNC Win32 Poebot runtime traffic detected"; flow:to_server,established; content:"MODE |23|las6 +smntu"; depth:17; reference:url,www.virustotal.com/#/file/89f6a4c3973f54c2bee9f50f62428278/detection; classtype:trojan-activity; sid:19993; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Dropper.Win32.Farfli.A runtime traffic detected"; flow:to_server,established; content:"/tkz/getip.asp"; nocase; http_uri; content:"tkz3.toukuizhe.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/adcde10f51f6bd5bf78adf6fcee9d536/detection; classtype:trojan-activity; sid:19992; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot.PG runtime traffic detected"; flow:to_server,established; content:"/13/cfg.bin"; nocase; http_uri; content:"art-kyiv.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a2a2be79094c5d6000ab7b521499765e/detection; classtype:trojan-activity; sid:19991; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Asprox variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/forum.php"; nocase; http_uri; content:"name=|22|sid|22|"; nocase; content:"name=|22|up|22|"; distance:0; nocase; content:"name=|22|a_cl|22|"; distance:0; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/9885504c9d21193735adbb1f8c9cb53e9c044d0fb0f9449df12bbe537820838a/analysis/; classtype:trojan-activity; sid:19988; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kolabc.fic variant outbound connection"; flow:to_server,established; content:".exe"; nocase; http_uri; content:"zonetech.info"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/547da0254357203f1830045a08160740fc6cc3ff8bb66ee41306110c537a1e0e/analysis/; classtype:trojan-activity; sid:19983; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.wwe variant outbound connection"; flow:to_server,established; content:"/key/list.txt"; nocase; http_uri; content:"d|2E|www|2D|263|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/53622e9c11febe7eb97c85354d20a6bb3d4201a78ccf09f9c4ad157a9d431e91/analysis/; classtype:trojan-activity; sid:19982; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micstus.A runtime traffic detected"; flow:to_server,established; content:"EIag|3A| 0d1975bf"; http_header; content:"9c|3A|eac"; http_header; pcre:"/\x2E(jps|asp|aspx)\x3F/U"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/51e0a0fb96fa2f6f7ea1b53f656c1b1a/detection; classtype:trojan-activity; sid:19981; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC IRCBot runtime traffic detected"; flow:to_server, established; content:"JOIN |23|devbot"; depth:14; reference:url,www.virustotal.com/#/file/2cd31ca700e2528cc356e50d5c24150c/detection; classtype:trojan-activity; sid:19980; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC IRCBot runtime traffic detected"; flow:to_server, established; content:"NICK |5B|mBot|7C|"; depth:11; reference:url,www.virustotal.com/#/file/2cd31ca700e2528cc356e50d5c24150c/detection; classtype:trojan-activity; sid:19979; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Viking.JB Worm runtime traffic detected"; flow:to_server,established; content:"/down.txt"; nocase; http_uri; content:"wangma.9966.org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/latestreport.html?resource=672145e3776089289ff8b0e5b55ad2ba; classtype:trojan-activity; sid:19978; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LooksLike.Zaplot variant outbound connection"; flow:to_server,established; content:"/img/gt.cgi"; nocase; http_uri; content:"User-Agent|3A 20 2D 0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/43ec44a2eb54a7a2998d99da8da3aa7c8d085bfea273d90a6082fb1521e63860/analysis/; classtype:trojan-activity; sid:19977; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypt.vb variant outbound connection"; flow:to_server,established; content:"/?dn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ztomy.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/3f6191d354f61c2d579045add3136251e2ade0557b6e25e1589c8a8756573832/analysis/; classtype:trojan-activity; sid:19975; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Small.bwj variant outbound connection"; flow:to_server,established; content:"/progs/"; nocase; http_uri; content:"adv="; nocase; http_uri; content:"cbfkzhtyik.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b70ba1cbef7d3183a69635c3ff27cd84b64f23f2c05b03c6aabadecb23955a85/analysis/; classtype:trojan-activity; sid:19974; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win.Trojan.Nebuler.D variant outbound connection"; flow:to_server,established; content:"/img/cmd.php?c="; nocase; http_uri; content:"&id="; distance:0; nocase; http_uri; content:"&cnt="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/152e84327bc7a8f46ec0794ea041eae80cabc54817adef5b1e78d9e12659f6fd/analysis/; classtype:trojan-activity; sid:19973; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mudrop.lj variant outbound connection"; flow:to_server,established; content:"/2/clconfig.rar"; nocase; http_uri; content:"Host|3A| www.52cps.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/3e7a75636b5337e5d73db45251065a6c562e613019676bd5920b2409332052d9/analysis/; classtype:misc-activity; sid:19971; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smalltroj.MHYR variant outbound connection"; flow:to_server,established; content:"/blak/stat.php"; nocase; http_uri; content:"anti-lamer.ru"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/a93b78866d26c98f032d2674c744b822cf8cc7e7b35e79a4122dd21ba43b1e45/analysis/; classtype:trojan-activity; sid:19970; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypt.CY variant outbound connection"; flow:to_server,established; content:"/fz.txt"; nocase; http_uri; content:"g.sog369.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/cf6d415f22373e0875c91e825a5419d5e5f9132e338fe379681c28c758404eb6/analysis/; classtype:trojan-activity; sid:19969; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PSW.QQPass.amx variant outbound connection"; flow:to_server,established; content:"/1.php"; nocase; http_uri; content:"a.800h.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e759b8926cf614671305ace946d10f330b708006c1bd459a6ccd91a2606b4367/analysis/; classtype:trojan-activity; sid:19968; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-PSW.Win32.Papras.dm variant outbound connection"; flow:to_server,established; content:"/cgi-bin/options.cgi?"; nocase; http_uri; content:"passphrase="; distance:0; nocase; http_uri; content:"pull.dolcebrava.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4adf80bfb63eebe60282ae23287e0f8494c7abbdcc0c66033552733b267d154d/analysis/; classtype:trojan-activity; sid:19967; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Octopus 0.1 inbound connection"; flow:to_server,established; content:"Conexion|7C|"; depth:9; nocase; pcre:"/^Conexion\x7c[^\r\n]*?\x7c[^\r\n]*?\x7c[^\r\n]*?\x7c/smi"; reference:url,www.virustotal.com/en/file/631c32585a009aa6be1880d7f64a7080cb95e48348a016ae35ac1c618994239d/analysis/; classtype:trojan-activity; sid:19966; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Agent.avzz variant outbound connection"; flow:to_server,established; content:"/pubns/indg406.pdf"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1e63bc0a8e960598aff02f3358ad98c8ea48c7254713cf20476b62adbd1012c0/analysis/; classtype:trojan-activity; sid:19965; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; urilen:>18,norm; content:"Cache-Control"; nocase; http_header; content:"no-cache"; within:20; nocase; http_header; content:!"http"; depth:4; nocase; http_uri; content:".gif?"; fast_pattern; nocase; http_uri; content:"="; within:8; distance:4; http_uri; pcre:"/\.gif\x3F[a-f0-9]{4,7}\x3D\d{6,8}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:19964; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Banload.aajs variant outbound connection"; flow:to_server,established; content:"/imagez/bground0"; http_uri; pcre:"/\/imagez\/bground0[12]\.jpg/Usmi"; metadata:service http; reference:url,www.virustotal.com/en/file/852ecff6514cb1fb53ec757078fe8cf1a1b207f5ed75e2dae44cdb95d46a459f/analysis/; classtype:trojan-activity; sid:19963; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Email-Worm.CryptBox-A variant outbound connection"; flow:to_server,established; content:"/pas/apstpldr.dll.html?affid=169343"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/9b11150b59bdefa9a27aa19cb2a74a8f588e20333996d8a8d7fae8cc60785210/analysis/; classtype:trojan-activity; sid:19962; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fouad 1.0 variant outbound connection"; flow:to_server,established; content:"/ip.asp"; http_uri; content:"www|2E|mistrosoft|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/7d3a801280843d8eb0a9c682c5093c53ed5c59d4cfdec15115f2b1615194fb80/analysis/; classtype:trojan-activity; sid:19961; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.aulk variant outbound connection"; flow:to_server,established; content:"/?tn=1027271"; http_uri; content:"www|2E|6700|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2e17a38f8272c73c3061949c986452b52a873d9af53c459abd47c6bd3e0ba755/analysis/; classtype:trojan-activity; sid:19960; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.aulk variant outbound connection"; flow:to_server,established; content:"/update.php?"; http_uri; content:"www|2E|woyaochidongxi|2E|com|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2e17a38f8272c73c3061949c986452b52a873d9af53c459abd47c6bd3e0ba755/analysis/; classtype:trojan-activity; sid:19959; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.aulk variant outbound connection"; flow:to_server,established; content:"/api.php?"; http_uri; content:"www|2E|buyaohenchang|2E|com|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2e17a38f8272c73c3061949c986452b52a873d9af53c459abd47c6bd3e0ba755/analysis/; classtype:trojan-activity; sid:19958; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Arabian-Attacker 1.1.0 variant outbound connection"; flow:to_server,established; content:"Wachtw"; depth:6; nocase; isdataat:!20; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/b4f5f7b8663ad48836e8c3f745a9e92b141e1843a2840b78e428dfb86d16e4d1/analysis/; classtype:trojan-activity; sid:19957; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC PaiN RAT 0.1 variant outbound connection"; flow:to_client,established; content:"3TWKDAmxsP11"; depth:12; nocase; content:"|0D 0A|"; within:2; distance:4; reference:url,www.virustotal.com/en/file/ac1a8f7ec4b60807f7dad48ace1a0f37258308b4456cbb4896c8ab50a27c86b5/analysis/; classtype:trojan-activity; sid:19955; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Hack Style RAT variant outbound connection"; flow:to_server,established; content:"Hi|7C|Nueva Conexion|7C|"; depth:18; reference:url,www.virustotal.com/en/file/b073a5bf32a4a02bf086d7214c885f5069a18d80fe2e31cb8427743078f6ec92/analysis/; classtype:trojan-activity; sid:19954; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Biodox variant outbound connection"; flow:to_server,established; flowbits:isset,backdoor_biodox; content:"[SETSINFO]"; fast_pattern:only; reference:url,www.virustotal.com/en/file/4f13f17105c64cb817ad7f47960b0a673cd2767a513713312c8f50516f8e08ee/analysis/; classtype:trojan-activity; sid:19953; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Biodox inbound connection"; flow:to_client,established; content:"[GETSINFO]"; depth:10; nocase; flowbits:set,backdoor_biodox; flowbits:noalert; reference:url,www.virustotal.com/en/file/4f13f17105c64cb817ad7f47960b0a673cd2767a513713312c8f50516f8e08ee/analysis/; classtype:trojan-activity; sid:19952; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Defsel variant outbound connection"; flow:to_server,established; flowbits:isset,backdoor.darkstrat; content:"MAININFO|7C|"; depth:9; nocase; reference:url,www.virustotal.com/en/file/c1134813519536396ab340e7170eaa00bcfc6c397269e40d7483fdae88b48b37/analysis/; classtype:trojan-activity; sid:19951; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Defsel inbound connection"; flow:to_client,established; file_data; content:"MAININFO|7C|"; depth:9; nocase; pcre:"/^MAININFO\x7c\d+\x0d\x0a/smi"; flowbits:set,backdoor.darkstrat; flowbits:noalert; reference:url,www.virustotal.com/en/file/c1134813519536396ab340e7170eaa00bcfc6c397269e40d7483fdae88b48b37/analysis/; classtype:trojan-activity; sid:19950; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.asjk variant outbound connection"; flow:to_server,established; content:"/nsi.php?aff=searchersmart&act=install"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/09dbf46c562135ca15da1d95a40e9717807adb128010a1a66d6fda23df08d910/analysis/; classtype:trojan-activity; sid:19949; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.asjk variant outbound connection"; flow:to_server,established; content:"/bc/1oft.php"; http_uri; content:"s2|2E|offersfortoday|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/09dbf46c562135ca15da1d95a40e9717807adb128010a1a66d6fda23df08d910/analysis/; classtype:trojan-activity; sid:19948; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.amwd variant outbound connection"; flow:to_server,established; content:"/unexciting/default/jaritast3.ini"; http_uri; content:"address|2D|bar|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b126087949bd8ac1c4c125fddc74751ad150cae0b4fc9fb6f2a9fd5a2cf5f812/analysis/; classtype:trojan-activity; sid:19947; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Agent.amwd variant outbound connection"; flow:to_server,established; content:"/inetcreative/default/"; http_uri; content:"isearchmoa|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b126087949bd8ac1c4c125fddc74751ad150cae0b4fc9fb6f2a9fd5a2cf5f812/analysis/; classtype:trojan-activity; sid:19946; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Agent.amwd variant outbound connection"; flow:to_server,established; content:"/inetcreative/default/"; http_uri; content:"recommandsite|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b126087949bd8ac1c4c125fddc74751ad150cae0b4fc9fb6f2a9fd5a2cf5f812/analysis/; classtype:trojan-activity; sid:19945; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Banload.ykl variant outbound connection"; flow:to_server,established; content:"/_obi/dvixx.zip"; http_uri; content:"www|2E|mideaststudies|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/8c2231dc9bce37452863d40701864e68951028cbbef02fbde3de8a37e8f07bc4/analysis/; classtype:trojan-activity; sid:19944; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TrojanSpy Win.Trojan.Zbot.Gen variant outbound connection"; flow:to_server,established; content:"/img/ld.php?v="; http_uri; content:"rs="; distance:0; http_uri; content:"n="; distance:0; http_uri; content:"uid="; distance:0; http_uri; content:"axionaw|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/826c90d32db7afc9b99c30011d12bc2f26c895ebbda108104d2a5bb8bad16e05/analysis/; classtype:trojan-activity; sid:19942; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TrojanSpy Win.Trojan.Zbot.Gen variant outbound connection"; flow:to_server,established; content:"/mx1/mx.for"; http_uri; content:"indiborge|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/826c90d32db7afc9b99c30011d12bc2f26c895ebbda108104d2a5bb8bad16e05/analysis/; classtype:trojan-activity; sid:19941; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Dropper.IRC.TKB variant outbound connection - dir4you"; flow:to_server,established; content:"/ldr/j1_2.php"; http_uri; content:"www|2E|dir4you|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/013d4d42a02cfa8d1faebad762fe2c6a7adb9bb6ceece27adff0a250cf2be633/analysis/; classtype:trojan-activity; sid:19940; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Delf.aba variant outbound connection"; flow:to_server,established; content:"/Setup5008/5008.txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/802bf90a9afa803b017c331c25b0975b29b40c4084a79dcb5615786182c010ca/analysis/; classtype:trojan-activity; sid:19936; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Delf.aba variant outbound connection"; flow:to_server,established; content:"/by920.com.js"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/802bf90a9afa803b017c331c25b0975b29b40c4084a79dcb5615786182c010ca/analysis/; classtype:trojan-activity; sid:19935; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lineage.Gen.Pac.3 variant outbound connection"; flow:to_server,established; content:"/xmfx/help1.rar"; http_uri; content:"www|2E|mgmicrosoft|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1f2ff53f7fd82efecf8b284950a1b12976959f000f33b6808415cd648a8310c7/analysis/; classtype:trojan-activity; sid:19931; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Spidern.A variant outbound connection"; flow:to_server,established; content:"Spidern"; depth:7; content:"|00 00|"; within:3; distance:2; reference:url,www.virustotal.com/#/file/25FF21FB53CF4C393A46E74F1089316C/detection; classtype:trojan-activity; sid:19924; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC Win.Trojan.Venik.B variant outbound connection"; flow:to_server,established; content:"|26 26 26 26 26 26 26 26 26 26 26 57 8D 90 46|"; fast_pattern:only; reference:url,www.virustotal.com/#/file/23118e227e3969a219e013745cc5ed9b/detection; classtype:trojan-activity; sid:19923; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz.ivr variant outbound connection"; flow:to_server,established; content:"/login.php"; nocase; http_uri; content:"|0D 0A|Content-Length|3A 20|6|0D 0A 0D 0A 9E 84 B5 E8 71 28|"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/#/file/506458EEE696BF56D13B10EAA42D7504/detection; classtype:trojan-activity; sid:19922; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Puprlehzae.A variant outbound connection"; flow:to_server,established; content:"/Y2x8MS4w"; nocase; http_uri; content:"Host|3A 20|goooogie2"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1392a95618179ea1772286b8076b8b5d783bea4dbfbd51871283c13dabd25b1f/analysis/; classtype:trojan-activity; sid:19921; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Reppserv.A outbond connection"; flow:to_server,established; content:"?frevny|3D|"; nocase; http_uri; content:"&bf|3D|"; distance:0; nocase; http_uri; content:"httpbot|0D 0A|"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/dd714d3585f0ea97437b6b36059c42338297282da848c571fb0951e61b5ee7b5/analysis/; classtype:trojan-activity; sid:19920; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Murcy.A variant outbound connection"; flow:to_server,established; content:"Extra-Data|3A 20|4ZFNSAAEAA"; nocase; http_header; content:"Content-Length|3A 20|0|0D 0A|"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/ee6fb8090411f88e21bc991110fd1c466edcfb39157c3b4391cdbbc58fb09675/analysis/; classtype:trojan-activity; sid:19919; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Worm.Ganelp.B variant outbound connection"; flow:to_server,established; dsize:25; content:"STOR jrend/Ups/"; depth:15; content:"|0D 0A|"; within:2; distance:8; metadata:service ftp; reference:url,www.virustotal.com/en/file/3a041792764800a48ff655afbe4a919fdd4f2bbdc61b7b84b0fb98ba6f9cf9b8/analysis/; classtype:trojan-activity; sid:19918; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sogu.A variant outbound connection"; flow:to_server,established; content:"/update?product=windows"; fast_pattern:only; http_uri; content:"X-Status|3A|"; nocase; http_header; content:"X-Size|3A| "; distance:0; nocase; http_header; content:"X-Sn|3A|"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/727c5a2c3db079351a79367a1d9eada072a8e19bce0a02eb680088e8eae9bd67/analysis/; classtype:trojan-activity; sid:19917; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos.ACB variant outbound connection"; flow:to_server,established; content:"praquem="; nocase; http_client_body; content:"titulo="; distance:0; nocase; http_client_body; content:"%2E%3A%3A%3AINFECT%3A%3A%3A%2E"; distance:0; nocase; http_client_body; content:"texto="; distance:0; nocase; http_client_body; content:"%2E%3A%3A%2EINFECT%2E%3A%3A%2E"; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/d5ce46b4ee74ca759a41f409e521c0ce0cc55b3038a62ad451e1054c32744d31/analysis/; classtype:trojan-activity; sid:19916; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gnutler.apd variant outbound connection"; flow:to_server,established; content:"/ipinfo?v="; nocase; http_uri; content:"&c=NqCgIru/"; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/251a9365b25810ff498807bbfc19b042a94bba6bdf33b7d488f1ed9c07043731/analysis/; classtype:trojan-activity; sid:19915; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Quivoe.A variant outbound connection"; flow:to_server,established; content:"/net/B"; nocase; content:"/searchnNewsNn2.php"; distance:0; nocase; reference:url,www.virustotal.com/en/file/35ff5f1d3fbb67a42b78649394964a043fb7d8c409f73ba7d79cdddcdf8eda35/analysis/; classtype:trojan-activity; sid:19914; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DelfInject.gen!X variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/account?mode=auth"; nocase; http_uri; content:"user="; nocase; http_client_body; content:"pss="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/90dab78d3ce340823d736c11b7b6e20b7566d7e545efdac8527c6786e86d3506/analysis/; classtype:trojan-activity; sid:19912; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Small.jog variant outbound connection"; flow:to_server,established; content:"/cmd.php"; nocase; http_uri; content:"searchopt7.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/c522fea2f15d3904daecb3faa2ba2a69c882166e612187e74c6eac72a7185aa9/analysis/; classtype:trojan-activity; sid:19905; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cinmus Variant variant outbound connection"; flow:to_server,established; content:"/checkconnect.html"; http_uri; content:"realname|2E|webbrowser|2E|51edm|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9a51a4d069cfd1a9748cd63b0b868f11ba6be1aff1821b4b394bc707e4c715e7/analysis/; classtype:trojan-activity; sid:19898; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf.jwh variant outbound connection"; flow:to_server, established; content:"|26|ver|3D|"; depth:5; nocase; http_client_body; content:"|26|MAX_EXECUTE_TIME|3D|"; within:19; nocase; http_client_body; content:"|26|botid|3D|"; nocase; http_client_body; content:"|26|botlogin|3D|"; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/077e265bbb9bd8394b02b970b705d7aaffa3caceece9624d893ce8180bed870c/analysis/; classtype:trojan-activity; sid:19895; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Arhost.D variant outbound connection"; flow:to_server,established; content:"|03 01 03 1B 07 D0 41 1E 51 39 B5|"; depth:11; reference:url,www.virustotal.com/en/file/22c7d907ea422c54e90b2f88756e1f7d4d1133d06ac85ac8d670e49eeeabf6f2/analysis/; classtype:trojan-activity; sid:19865; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Nvbpass variant outbound connection"; flow:to_server,established; content:"/stat?uptime="; depth:64; offset:4; nocase; content:"&statpass=bpass"; within:37; distance:20; fast_pattern; nocase; content:!"Accept|3A|"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0fadfd6b113e8bf420174dcdc54c6e342693b33811a1bf036a15be346686fb7d/analysis/; classtype:trojan-activity; sid:19864; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Httpbot.yi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Hackeroo"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/ca750720eb7485e16df573e6440ef5e4/detection; classtype:trojan-activity; sid:19863; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar.iej variant outbound connection"; flow:to_server,established; content:"|2F|img|2F|gt|2E|cgi"; nocase; http_uri; content:"User-Agent|3A 20|-|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/44ee05d4e4a615ca4fc84e0f608c031e/detection; classtype:trojan-activity; sid:19862; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.cqcv variant outbound connection"; flow:to_server,established; content:"|2F|win|2E|jpg"; nocase; http_uri; content:"album2009us|2E|sitebr|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/d87369b10b5c5d037871647181521c3c/detection; classtype:trojan-activity; sid:19861; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1690 (msg:"MALWARE-CNC Win.Trojan.Hupigon.hhbd variant outbound connection - non-Windows"; flow:to_server,established; content:"|10 00 00 00 CE B4 D6 AA C0 E0 D0 CD|"; depth:12; reference:url,www.virustotal.com/en/file/3252346ab4a4a46e248dcbd565eec6c2c4bcfb689838a6fc20161439746d8a99/analysis/; classtype:trojan-activity; sid:19858; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1690 (msg:"MALWARE-CNC Win.Trojan.Hupigon.hhbd variant outbound connection - Windows"; flow:to_server,established; content:"|10 00 00 00|Windows"; depth:11; nocase; reference:url,www.virustotal.com/en/file/3252346ab4a4a46e248dcbd565eec6c2c4bcfb689838a6fc20161439746d8a99/analysis/; classtype:trojan-activity; sid:19857; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Packed.Win32.Krap.i variant outbound connection"; flow:to_server,established; content:"/us3/error"; http_uri; content:"jobfinder911|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e8e299df651e38350d93232311d887e77873f0bcfa70308656454042deed815d/analysis/; classtype:trojan-activity; sid:19856; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Delf.tbv variant outbound connection"; flow:to_server,established; content:"/descargas/numero0.php"; http_uri; content:"cartagenarumbera|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b15aebc6b3670b63d99c10d89d5e96ac165364ef8bd349f467f00137bf85b150/analysis/; classtype:trojan-activity; sid:19852; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.AutoRun.qgg variant outbound connection"; flow:to_server,established; content:"/index.php?type="; nocase; http_uri; content:"Host: razmgah.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/92de983ea23807f940a979ec5014a97acd4423da21d41c8035156a8f257555a0/analysis/; classtype:trojan-activity; sid:19851; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.AutoRun.qgg variant outbound connection"; flow:to_server,established; content:"/reg.php"; nocase; http_uri; content:"Host: abcd-0-reg.freehostia.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/92de983ea23807f940a979ec5014a97acd4423da21d41c8035156a8f257555a0/analysis/; classtype:trojan-activity; sid:19850; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Spy-Net 0.7 runtime"; flow:to_server,established; content:"maininfo|7C|"; depth:9; nocase; content:"|7C 56 ED 74 69 6D 61 5F|"; within:50; fast_pattern; reference:url,www.virustotal.com/en/file/fadbef698c9003c4083458db5c37a5dc96791e3e8f532db1f386a53b3ff55776/analysis/; classtype:trojan-activity; sid:19836; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZBot.RD variant outbound connection"; flow:to_server,established; content:"/ama/rec.php"; fast_pattern:only; http_uri; content:"funaman.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/b1d8672bb94c8702a84ba843e8edccc8350b8810a1a51af62d36889b8165f16d/analysis/; classtype:trojan-activity; sid:19834; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload.bda variant outbound connection"; flow:to_server,established; content:"hpg.ig.com.br"; fast_pattern:only; http_header; pcre:"/\x2F(ree|nl)\d+\x2Ehtml/iU"; metadata:service http; reference:url,www.virustotal.com/#/file/5896d49594656759b333765e1aa5196c/detection; classtype:trojan-activity; sid:19833; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1998 (msg:"MALWARE-CNC Win.Trojan.Veslorn.gen.A variant outbound connection"; flow:to_server,established; content:"FREE|3A|"; fast_pattern:only; pcre:"/FREE\x3A([^$\n]*\x7C){4}\d+-free/i"; reference:url,www.virustotal.com/#/file/bcbaa7dfcf94a40cd8f16e0770a43119/detection; classtype:trojan-activity; sid:19832; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot.SO variant outbound connection"; flow:to_server,established; content:"/test/gate.php"; http_uri; content:"POST"; http_method; content:"softsellfast"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/bc98955badf9a420d315d79aae169183/detection; classtype:trojan-activity; sid:19831; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poebot.BP variant outbound connection"; flow:to_server,established; content:"/mega/lgate.php"; fast_pattern; nocase; http_uri; content:"n="; distance:0; nocase; http_uri; content:"lometr.pl"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/391f1a7118adef7df0ead94e820b4ab0/detection; classtype:trojan-activity; sid:19830; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Rbot.gen variant outbound connection"; flow:to_server,established; content:"JOIN #D# mikey"; nocase; reference:url,www.virustotal.com/en/file/a91b5a24cf186cb21a3ac95d6b7b010bedb48e218d19a400b722d3fd499e7584/analysis/; classtype:trojan-activity; sid:19829; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyAgent.B variant outbound connection"; flow:to_server,established; content:"/realtime-spy/Files/"; nocase; http_uri; content:"www.spytech-web.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d031a0c13774cdf4db243e37fd2c7638cb478f5adf523abccdb6aea732be039c/analysis/; classtype:trojan-activity; sid:19828; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"MALWARE-CNC Gen-Trojan.Heur variant outbound connection"; flow:to_server,established; content:"|1D 00 00 01 85 20 00 00 00 6D 61 6D 6F 72 61 72 69 61 6A 68 6F 6E 6E 65|"; fast_pattern:only; reference:url,www.virustotal.com/en/file/6e115c09403180ec411a44285042524a38104d8b397a04be6cd177a6210388eb/analysis/; classtype:trojan-activity; sid:19824; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload.HH variant outbound connection"; flow:to_server,established; content:"/images/avenger.jpg"; nocase; http_uri; content:"he-consulting.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e84c63dcd2d803683092d6d5680fa30e6f38a51dcfcb70b94aff23ae35322680/analysis/; classtype:trojan-activity; sid:19822; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Bagle.gen.C variant outbound connection"; flow:to_server,established; content:"/images/1/filenames.php"; nocase; http_uri; content:"Host|3A| italiancasinoonline.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6dbac4a011a0f41d3d6a916cf8d07f7750f008a89b044bf6b1b1198439b671d2/analysis/; classtype:trojan-activity; sid:19821; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ertfor.A variant outbound connection"; flow:to_server,established; content:"/ff/sh.php"; nocase; http_uri; content:"quikup.info"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/53a29e4573d55af3a5df52d885d5972290fd1978731259a7e6d33217f160b008/analysis/; classtype:trojan-activity; sid:19820; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ertfor.A variant outbound connection"; flow:to_server,established; content:"/cd/cd.php"; nocase; http_uri; content:"updatesabout.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/53a29e4573d55af3a5df52d885d5972290fd1978731259a7e6d33217f160b008/analysis/; classtype:trojan-activity; sid:19819; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smser.cx variant outbound connection"; flow:to_server,established; content:"|2F|images|2F|catalog|2F|icon|2F|fg56h|2E|php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/e690030a2c43438133ac0cd80487c553/detection; classtype:trojan-activity; sid:19805; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.ktq variant outbound connection"; flow:to_server,established; content:"|2F|images|2F|z1|2F|s|2E|php"; nocase; http_uri; content:"www|2E|avtweb|2E|nl"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/3f0e49ece42080299a5986b6aeefb2a8/detection; classtype:trojan-activity; sid:19804; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wixud.B variant outbound connection"; flow:to_server,established; content:"|2F|ca|2F|count|2E|php|3F|flsh|3D|"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/3ae1d0bd89f59f1d3d66c222f6297ed6/detection; classtype:trojan-activity; sid:19802; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tracur variant outbound connection"; flow:to_server,established; content:"fQ_fQ_fQ_fQ"; http_uri; pcre:"/mJKV[^\s\x0D\x0A]+1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9a0b76500490d528b60e6a5662bf2d41/detection; classtype:trojan-activity; sid:19801; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pher.ij variant outbound connection"; flow:to_server,established; content:"|2F|bbs|2F|ggb2|2E|txt"; nocase; http_uri; content:"ipdown|2E|poloi999|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/5c43c657910e86f1b81e8a756514e028/detection; classtype:trojan-activity; sid:19800; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PWS.Win32.Zbot.gen.Q variant outbound connection"; flow:to_server,established; content:"/brigus_saloma/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/a0988c54802a857fdb2cecfcaae53dbb/detection; classtype:trojan-activity; sid:19799; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent2.kxu variant outbound connection"; flow:to_server,established; content:"/zj_ir/pip_"; http_uri; content:"get|2E|client|2D|get|2D|data|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/62063a63768053ecdf261423dcdb5001d1d30d58a48a9277d7ae1280545f80be/analysis/; classtype:trojan-activity; sid:19798; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Safety Center variant outbound connection"; flow:to_server,established; content:"/ass.php"; http_uri; content:"urodinam|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1b228aac7ed3d186a1697df189b8e87d7c6d654aa22e5334f5349bc345ac8ea2/analysis/; classtype:trojan-activity; sid:19797; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DL.CashnJoy.A variant outbound connection"; flow:to_server,established; content:"/App/Ver_CNJoy.txt"; fast_pattern:only; http_uri; content:"Host|3A|"; nocase; http_header; content:"cashnjoy|2E|com"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d08f008da737a52b4e6bfc630660a5c643e510370cf10d0a2ea23d4430379adf/analysis/; classtype:trojan-activity; sid:19796; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV NoAdware variant outbound connection"; flow:to_server,established; content:"/purchase/"; http_uri; content:"www|2E|noadware|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2ec01a76368d7e3d3fce1029e92f9729a2dee1b6d5e267cb5bd5519f2c062e3a/analysis/; classtype:trojan-activity; sid:19795; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fnumbot variant outbound connection"; flow:to_server,established; content:"/check.php"; http_uri; content:"p1=12345"; distance:0; http_uri; content:"fubar|2E|cheapsocks|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/06ea221f365142359f3a9648136e13ad28b50b40488075665f97bb345353dcbe/analysis/; classtype:trojan-activity; sid:19794; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.SillyFDC-DS variant outbound connection"; flow:to_server,established; content:"/404/"; http_uri; content:"xaimage|2E|cn"; fast_pattern:only; http_header; content:!"Referrer"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/c94795374ea6192d80ae929500a42e750efe689b53449268ce65c79ea4cdd685/analysis/; classtype:trojan-activity; sid:19793; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Caxnet.A variant outbound connection"; flow:to_server,established; content:"/api.php"; http_uri; content:"www|2E|dwon1028Request|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2ea6c56efe38c926556ae4ae1d8b5535eb430be8440a79216932255844756c26/analysis/; classtype:trojan-activity; sid:19792; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8181 (msg:"MALWARE-CNC Trojan-Dropper.Win32.Small.awa variant outbound connection"; flow:to_server,established; content:"<OS>"; nocase; content:"</OS>"; distance:0; content:"<CPU>"; distance:0; content:"</CPU>"; distance:0; content:"<MEM>"; distance:0; content:"</MEM>"; distance:0; reference:url,www.virustotal.com/en/file/83ae36bbe35e535a7cf5ca28a5761558e1d5570defa36f749bed69300ac4f4b4/analysis/; classtype:trojan-activity; sid:19791; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC P2P Worm Win.Trojan.SpyBot.pgh variant outbound connection"; flow:to_server,established; flowbits:isset,malware.spybot; content:"JOIN"; nocase; content:"|23|SPY|23|"; distance:0; nocase; reference:url,www.virustotal.com/en/file/d4d8d973b1ede40353db3f8b961752ced1e34b1c68d3abffcef1c4539068c435/analysis/; classtype:trojan-activity; sid:19790; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC P2P Worm Win.Trojan.SpyBot.pgh variant outbound connection"; flow:to_server,established; content:"hotmail|2E|com"; nocase; content:"Vampire|2E|Webchat|2E|org"; distance:0; fast_pattern; nocase; flowbits:set,malware.spybot; flowbits:noalert; reference:url,www.virustotal.com/en/file/d4d8d973b1ede40353db3f8b961752ced1e34b1c68d3abffcef1c4539068c435/analysis/; classtype:trojan-activity; sid:19789; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.VB.pnc variant outbound connection"; flow:to_server,established; content:"/tj/xx02.htm"; http_uri; content:"www|2E|365dh|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/26c700749032b3f1ee9de509f443b05bf59406ff09c348d176fa1cd9fb48ac5e/analysis/; classtype:trojan-activity; sid:19788; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"MALWARE-CNC Exploit-PDF.t variant outbound connection"; flow:to_server,established; content:"|98 20 15 81 D7|"; content:"|B3 D8 21 28 5A F0 E5 DD|"; within:8; distance:4; reference:url,www.virustotal.com/en/file/2b65749fb76c9f75113cfdae1f56803ea5b9c6697ab3aa59c54106d5d6537e54/analysis/; classtype:trojan-activity; sid:19787; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Malushka.T variant outbound connection"; flow:to_server,established; content:"/a"; http_uri; content:"www|2E|ismys|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/eeacd7b64398220f0c9d4720469df059602c0f6058696667bcfbcd58338f55ea/analysis/; classtype:trojan-activity; sid:19785; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.AutoRun.sde variant outbound connection"; flow:to_server,established; content:"/manda.php"; nocase; http_uri; content:"id="; distance:0; http_uri; pcre:"/User-Agent\x3A\s+_/iH"; metadata:service http; reference:url,www.virustotal.com/#/file/45bff647a690be2b81de87ca34954dc8/detection; classtype:trojan-activity; sid:19784; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload.agcw variant outbound connection"; flow:to_server,established; content:"/appinfo/webstd/novo/procopspro.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/41c4d47137704f508ebdcd8ab2f783d9/detection; classtype:trojan-activity; sid:19783; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AVKill.bc variant outbound connection"; flow:to_server,established; content:"|2F|2009|2F 2F|update|2E|txt"; nocase; content:"www|2E|2008|2E|366ent|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/84740940db5a8db9ddbe1dc30e25b9e2/detection; classtype:trojan-activity; sid:19782; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Dropper.Win32.Agent.aqpn variant outbound connection"; flow:to_server,established; content:"|2F|winxp|2F|mm|2E|txt"; nocase; http_uri; content:"www|2E|dy2004|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/c1dbdc1e0d21f8aaf6c33edf0e35d03b/detection; classtype:trojan-activity; sid:19781; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Agent2.guy dropper variant outbound connection"; flow:to_server,established; content:"A00500000000000000000"; depth:21; reference:url,www.virustotal.com/en/file/1eb57ad9d0f0dae5e089993141988fbe08614c1c7a5bd5ecbd943a829f67c302/analysis/; classtype:trojan-activity; sid:19776; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Gen-Trojan.Heur variant outbound connection"; flow:to_server,established; content:"/a/update.xml"; nocase; http_uri; content:"baidu.avtupian.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/77874a5fe91756641c1a90c70b8587f7a6ae8c2443e209006c4c9af1ee0b3974/analysis/; classtype:trojan-activity; sid:19774; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3070 (msg:"MALWARE-CNC Virus.Win32.Parite.B variant outbound connection"; flow:to_server,established; content:"Version*|28|"; depth:9; nocase; flowbits:isset,parite.init; reference:url,www.virustotal.com/en/file/d62e2e63beaa442c2dd527fa90775149f9a9e223f271236f6412ccc5cb73bccf/analysis/; classtype:trojan-activity; sid:19773; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3070 (msg:"MALWARE-CNC Virus.Win32.Parite.B variant outbound connection"; flow:to_server,established; content:"Status*|28|Idle...|29|*"; depth:17; nocase; flowbits:set,parite.init; flowbits:noalert; reference:url,www.virustotal.com/en/file/d62e2e63beaa442c2dd527fa90775149f9a9e223f271236f6412ccc5cb73bccf/analysis/; classtype:trojan-activity; sid:19772; rev:7;)
alert udp $HOME_NET any -> $EXTERNAL_NET 9023 (msg:"MALWARE-CNC Win.Trojan.Yoddos variant outbound connection"; dsize:112; content:"|9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C 9C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137/analysis/; classtype:trojan-activity; sid:19771; rev:8;)
alert udp $HOME_NET any -> $EXTERNAL_NET 9023 (msg:"MALWARE-CNC Win.Trojan.Yoddos variant outbound connection"; dsize:210; content:"|EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA EA|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137/analysis/; classtype:trojan-activity; sid:19770; rev:8;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Yoddos outbound indicator"; itype:8; icode:0; content:"YYYYYYYYYYYYYYYYYYYYYYYYYYYY"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a7f97ed5c064b038279dbd02554c7e555d97f67b601b94bfc556a50a41dae137/analysis/; classtype:trojan-activity; sid:19769; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Msposer.A variant outbound connection"; flow:to_server,established; content:"Connected|3E|"; depth:13; nocase; content:"AT Port|23|"; within:16; distance:8; nocase; content:"|7C 3C 3E 7C|"; within:8; distance:2; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/7c1c9297069ecc11ab12fd03d2cfa2fb82a6da0fcbd2e435fe0be0f548f031e8/analysis/; classtype:trojan-activity; sid:19767; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Worm.Autorun variant outbound connection"; flow:to_server,established; content:"STOR Ip-"; depth:8; content:".LOG|0D 0A|"; within:32; metadata:service ftp; reference:url,www.virustotal.com/en/file/52310295ad86031b42ae2b50e3f808134c6336620a5e96eb171dcaf9b483100a/analysis/; classtype:trojan-activity; sid:19766; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/aviso_c1.php"; fast_pattern; http_uri; content:"rotina|3D|"; nocase; http_client_body; content:"maquina|3D|"; distance:0; nocase; http_client_body; content:"instalado|3D|"; distance:0; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/14ff9539ab76ab0f555dc4664c260709a576eb49fdb625784ee2e3ff0b1bfe07/analysis/; classtype:trojan-activity; sid:19765; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RDPdoor.AE variant outbound connection"; flow:to_server,established; content:"q|3D|a|26|id|3D|"; nocase; http_client_body; content:"|26|o|3D|"; distance:0; nocase; http_client_body; content:"|26|v|3D|"; distance:0; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/e1935ba95edd804f6c3e13ba9f306420568a6474c753f93c95d48aca46541323/analysis/; classtype:trojan-activity; sid:19764; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RDPdoor.AE variant outbound connection"; flow:to_server,established; content:"q|3D|m|26|id|3D|"; nocase; http_client_body; content:"|26|o|3D|"; distance:0; nocase; http_client_body; content:"|26|v|3D|"; distance:0; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/e1935ba95edd804f6c3e13ba9f306420568a6474c753f93c95d48aca46541323/analysis/; classtype:trojan-activity; sid:19763; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RDPdoor.AE variant outbound connection"; flow:to_server,established; content:"q|3D|i|26|id|3D|"; nocase; http_client_body; content:"|26|o|3D|"; distance:0; nocase; http_client_body; content:"|26|v|3D|"; distance:0; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/e1935ba95edd804f6c3e13ba9f306420568a6474c753f93c95d48aca46541323/analysis/; classtype:trojan-activity; sid:19762; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ftpharvxqq variant outbound connection"; flow:to_server,established; content:"/hole.php"; http_uri; content:"num="; nocase; http_client_body; content:"&buffer="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/595eea79c7a5e3c26650e9a1cbf780bf/detection; classtype:trojan-activity; sid:19761; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arsinfoder variant outbound connection"; flow:to_server,established; content:".php?ver="; nocase; http_uri; content:"&sid="; distance:0; nocase; http_uri; content:"&info="; nocase; content:"Connection|3A 20|Close"; nocase; http_header; content:!"Referer"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/8f685c11dc4acadcd684feee71f2e75df74bc80b56a9c5c5bef79ce2f96acd78/analysis/; classtype:trojan-activity; sid:19760; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-PSW.Win32.FireThief.h variant outbound connection"; flow:to_server,established; content:"MVawerVriutlaIEDHradrDvie"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/2562f8d708a140442e1d262bab9ee7ba/detection; classtype:trojan-activity; sid:19759; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Small.yw variant outbound connection"; flow:to_server,established; content:"|2F|main|2F|rand|2F|test|2E|php|3F|ver|3D|"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/3bfdf0e78e2cd535363df5b31d7d9b9f/detection; classtype:trojan-activity; sid:19758; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.bqlu variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|gomtour"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/47ba0a8b858524820b184bfa442ce09f/detection; classtype:trojan-activity; sid:19757; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alphabet variant outbound connection"; flow:to_server,established; content:"|2F|gettime|2E|php"; nocase; http_uri; content:"setup|2E|bestmanage|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/405ffdc392ab64635621429cf5adb025/detection; classtype:trojan-activity; sid:19755; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Delf.RGL variant outbound connection"; flow:to_server,established; content:"/znam/images/fect/post.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/8b1a7e43dbd1ff4cdae2e814e05882ed/detection; classtype:trojan-activity; sid:19754; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TrojanSpy.Win32.Zbot.gen.C variant outbound connection"; flow:to_server,established; content:"/rssfeederd2/stat1.php"; nocase; http_uri; content:"Host|3A| theyourbest|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/5d9b6e2832d3c659d29c8bf35cc2e3a4/detection; classtype:trojan-activity; sid:19753; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"|2F|rp.txt|3F|ver"; fast_pattern:only; http_uri; content:"bugreport.waverevenue.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/dab88d7963e15f39c7a0924769127050/detection; classtype:trojan-activity; sid:19752; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Sohanad.bm variant outbound connection"; flow:to_server,established; content:"|2F|abuseFrozen.htm"; fast_pattern:only; http_uri; content:"www.webs.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/afaff29d0814242770cb9f847b5cf536/detection; classtype:trojan-activity; sid:19751; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PWS.Win32.Zbot.PJ variant outbound connection"; flow:to_server,established; content:"|2F|yyy|2F|333.bin"; fast_pattern:only; http_uri; content:"harararara.com"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/7b38da6e795b83f7387de688307b64bc/detection; classtype:trojan-activity; sid:19750; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.chgp variant outbound connection"; flow:to_server,established; content:"|2F|anzhuang.asp?MAC"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/37da79fe8c57fe4301e213d8e4f047f3/detection; classtype:trojan-activity; sid:19749; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 103 (msg:"MALWARE-CNC Win.Trojan.Crypt.ULPM.Gen IRC variant outbound connection"; flow:to_server,established; content:"|0D 0A|USER ChinaBot 0 0 :MHPV"; nocase; reference:url,www.virustotal.com/en/file/19ac01e31ba3e11d5db23e1dee24b35c24cfa5714deddf2c189332b680fdc730/analysis/; classtype:trojan-activity; sid:19748; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.biiw variant outbound connection"; flow:to_server,established; content:"/gt_bd_93.php?srky="; nocase; http_uri; content:"&version="; distance:0; nocase; http_uri; content:"&GUID="; distance:0; nocase; http_uri; content:"&un="; distance:0; nocase; http_uri; content:"&cmd="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/fdd87380ea44cb01c8ad2d89795a39fcc8eddc5c42f8afe96cada77c516e6c8a/analysis/; classtype:trojan-activity; sid:19746; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FraudLoad.dyl variant outbound connection"; flow:to_server,established; content:"/ad_type.php"; nocase; http_uri; content:"data="; nocase; http_client_body; content:"searchzoeken.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9ce689a47d5596c29e5ddb707f2f90b83a2e66578c828803782b778066b0fb81/analysis/; classtype:trojan-activity; sid:19745; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Deecee.a variant outbound connection"; flow:to_server,established; content:"/void.php"; nocase; http_uri; content:"www.Gallach.runhost.net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d1b3d47d597a56975e2a333883aee0409551e617a7532e29770a4b5feda8bcc7/analysis/; classtype:misc-activity; sid:19744; rev:6;)
# alert tcp $HOME_NET [1024:65535] -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Hupigon.eqlo variant outbound connection"; flow:to_server,established; content:"|2A 2A 2A 2A 2A 2A 2A 2A|Messanger Passwort Pack|2A 2A 2A 2A 2A 2A 2A|"; fast_pattern:only; metadata:service ftp; reference:url,www.virustotal.com/en/file/0f932740af23de074b30db4c1aba0af17b7bd8470e3c2df1131379571962de7c/analysis/; classtype:trojan-activity; sid:19743; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.atff variant outbound connection"; flow:to_server,established; content:"/info.png?cmp="; nocase; http_uri; content:"&rid="; distance:0; nocase; http_uri; content:"&affid="; distance:0; nocase; http_uri; content:"&uid="; distance:0; nocase; http_uri; content:"&guid="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/3dafd186c1c8e2c3e87e459f7bed1d952256094765e62f3b3b713ad28a81fe6b/analysis/; classtype:trojan-activity; sid:19742; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.AutoRun.aczu variant outbound connection"; flow:to_server,established; content:"/usload/ld.php?v="; nocase; http_uri; content:"&rs="; distance:1; nocase; http_uri; content:"&uid="; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/4f94c0a2e8819962d51519488b82c853f900333a164e2be3a45a89129d60b54d/analysis/; classtype:trojan-activity; sid:19740; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1997 (msg:"MALWARE-CNC Win.Trojan.Apptom variant outbound connection"; flow:to_server,established; content:"|8C C8 85 83 8D BB AA 93 DF CC BB E8 AD 91 8C 86|"; depth:16; reference:url,www.virustotal.com/en/file/1304861df8208a37a136d09b52da0895fa59ee4f5ff01f053fb1d1efc9f54b55/analysis/; classtype:trojan-activity; sid:19739; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik.BRU variant outbound connection"; flow:to_server,established; content:"/1.php?q=1"; nocase; http_uri; content:"|0D 0A|Keep-Alive|3A 20|115|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/e5a1877d6495c66c8af2e262310e8af4e8e29b9b1289776ba4ce40cb00e5765f/analysis/; classtype:trojan-activity; sid:19733; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Idicaf variant outbound connection"; flow:to_server,established; dsize:732; content:"F335|00 00 00 00|"; depth:8; offset:16; content:"Service|20|Pack"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/06f65e782ca9a306f81dc26265ea25a1fe820d6333fbdd64004f60d599601513/analysis/; classtype:trojan-activity; sid:19732; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkwebot variant outbound connection"; flow:to_server,established; content:"/getcmd.php?uid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&traff="; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/819550132c76f9ccaa51e87a332f0bace159ac47dc45932afd517e74ba692ed5/analysis/; classtype:trojan-activity; sid:19731; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KukuBot variant outbound connection"; flow:to_server,established; content:"/mrow_pin/?id"; nocase; http_uri; content:"|0A|User|2D|Agent|3A 20|KUKU v"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d9c46ecfc91366f43bf1a8e0172465fb3918cf3cf9339de82d47f5d8b1c84a75/analysis/; classtype:trojan-activity; sid:19730; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Yayih variant outbound connection"; flow:to_server,established; content:"/info.asp"; depth:32; offset:5; nocase; content:"|7C|Win"; distance:0; reference:url,www.virustotal.com/en/file/0b08e7b13957d87a9b6dc8907de5c06c95e772081ce9f95a55fd96ec2092e082/analysis/; classtype:trojan-activity; sid:19729; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Yayih variant outbound connection"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"|61 00 0C 00|"; distance:0; content:"|7C|vv|7C|"; distance:0; nocase; reference:url,www.virustotal.com/en/file/0b08e7b13957d87a9b6dc8907de5c06c95e772081ce9f95a55fd96ec2092e082/analysis/; classtype:trojan-activity; sid:19728; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Bancos.DI variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|=============================================="; depth:512; content:"|0D 0A|Vers|E3|o Windows"; within:64; nocase; content:"|0D 0A|Vers|E3|o Browser"; within:64; nocase; content:"|0D 0A|Resolu|E7 E3|o de Tela"; within:64; nocase; metadata:service smtp; reference:url,www.virustotal.com/en/file/2ea7735db702ae879392d66df945f5c18ef6256b41497ceb9e38beb2bd3f4293/analysis/; classtype:trojan-activity; sid:19727; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Poison variant outbound connection"; flow:to_server,established; dsize:12<>16; content:"ueu|04 1B 12|"; depth:6; offset:6; reference:url,www.virustotal.com/en/file/18bf131116d9c69594b40af20dcf058901b29638ab12226de7a0e10672325cb5/analysis/; classtype:trojan-activity; sid:19726; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Poison variant outbound connection"; flow:to_server,established; content:"eueu|1C 11 10|u|01 14 07 12|"; depth:12; reference:url,www.virustotal.com/en/file/18bf131116d9c69594b40af20dcf058901b29638ab12226de7a0e10672325cb5/analysis/; classtype:trojan-activity; sid:19725; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|2D 2D|http|5F|post|5F|boundary|5F|field|5F|delimiter|5F|"; nocase; http_client_body; content:"form|2D|data|3B| name=|22|sid|22|"; within:30; distance:24; nocase; http_client_body; content:"name=|22|a|5F|cl|22|"; distance:80; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/6662bafa0430bef1fcb5f45a3ec1854692c1c5e0f6c88e3800df2f5f8277af4b/analysis/; classtype:trojan-activity; sid:19724; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pherbot variant outbound connection"; flow:to_server,established; content:"bot.php?hwid="; http_uri; content:"&pcname="; distance:0; nocase; http_uri; content:"&antwort="; distance:5; nocase; http_uri; content:"&os="; distance:5; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/40e7e0697fc7ae87d98497cbef5a4891f9d98eb36b609ce18f8b871a41168490/analysis/; classtype:trojan-activity; sid:19723; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poshtroper variant outbound connection"; flow:to_server,established; content:"/multireport/shop.php?fol="; nocase; http_uri; content:"&ac="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/960e08967210caa1cf7587c7a25673f4fb611dbe575f0d437ba0b764b97e1461/analysis/; classtype:trojan-activity; sid:19722; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IRCBot.mlh variant outbound connection"; flow:to_server,established; content:"|2F|dd|2F|index|2E|php"; http_uri; content:"byE8PCdtb"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/#/file/bcc2ff29b25ec9bc90e3bbcc2ff29b25ec9bc90e3b1a2a090c813/detection; classtype:trojan-activity; sid:19721; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Onestage.ws variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|AV1i"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/4a2361c227f14c4e81a674741169b7ba/detection; classtype:trojan-activity; sid:19720; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Email-Worm.Win32.Bagle.of variant outbound connection"; flow:to_server,established; content:"|2F|images|2F|blst|2E|php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/6ac40f04df827b65d94e6fdc1e92d32d/detection; classtype:trojan-activity; sid:19719; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Downloader.Win32.Agent.bkap variant outbound connection"; flow:to_server,established; content:"|2F|zt|2E|asp|3F|username|3D|"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/4a5003c8ae94991aeae6a2f4b74f68ed/detection; classtype:trojan-activity; sid:19718; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TrojanSpy.Win32.Banker.OO variant outbound connection"; flow:to_server,established; content:"|2F|anjo|2F|configs|2E|jpg"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/0c0cd36330d02ad7208cd6f72c3fa388/detection; classtype:trojan-activity; sid:19716; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.URLZone variant outbound connection"; flow:to_server,established; content:"|2F|89|2F|ff|2E|ie"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/27e8351a5b0bea5ef15c6681007fdee5/detection; classtype:trojan-activity; sid:19715; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"php?praquem="; nocase; http_uri; content:"titulo="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9b4c0118c802c3fc79c90764e9bf7c70e7efb8f04726785eb4f7f75f9785e61b/analysis/; classtype:trojan-activity; sid:19712; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jorik variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|IE"; fast_pattern:only; http_header; content:"type|3D|stats"; nocase; http_uri; content:"affid|3D|508"; http_uri; content:"subid|3D|new02"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1e92508de36f878dceb369121364bd3d/detection; classtype:trojan-activity; sid:19711; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.cer variant outbound connection"; flow:to_server,established; content:"/com_plugin.php"; nocase; http_uri; content:"subject|3D|"; nocase; http_client_body; content:"|26|message|3D|"; distance:1; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/f0adcc846220d1fbcbba69929f48ce928650228e6216d3211b9a116111154f9d/analysis/; classtype:trojan-activity; sid:19706; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.grdm variant outbound connection"; flow:to_server,established; content:"/one.php?dwId="; nocase; http_uri; content:"User-Agent|3A 20|Mozilla|0D 0A|"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f/analysis/; classtype:trojan-activity; sid:19705; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.grdm variant outbound connection"; flow:to_server,established; content:"/one.php?inf="; nocase; http_uri; content:"User-Agent|3A 20|Mozilla|0D 0A|"; nocase; http_header; pcre:"/\?inf\=[0-9a-f]{8}\x2Ex\d{2}\x2E\d{8}\x2E/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/db03b00a06360745f0d126ccada6e9658ff943bd351262ecba06f32c07aa630f/analysis/; classtype:trojan-activity; sid:19704; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Dusta.br outbound connnection"; flow:to_server,established; content:"/funtionsjs"; nocase; http_uri; content:"User-Agent|3A 20|vb|20|wininet|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2083e1fca5aedbf9e496596933f92c62b532d01cb2f2d69ee9224d0706f27bb0/analysis/; classtype:trojan-activity; sid:19703; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zboter.E variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"board/index.php"; http_uri; content:"name|3D 22|data|22 3B 20|filename|3D|"; nocase; http_client_body; content:"|0D 0A 0D 0A|rRH5"; distance:0; fast_pattern; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/418815d5a60624acdd57ef600cd74186a6b46a729335c3bd2e8e4af2c41957ba/analysis/; classtype:trojan-activity; sid:19702; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hassar.A variant outbound connection"; flow:to_server,established; content:"/?oA"; http_uri; content:"AAAAAAAAAAAAAAAo"; within:17; distance:9; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/aa96751b20ae61e9174d735c3c2c7630307d529c6ba5fd691d32ff5504f626d7/analysis/; classtype:trojan-activity; sid:19701; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"MALWARE-CNC Win.Trojan.Agent.tnr variant outbound connection"; flow:to_server,established; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:url,www.virustotal.com/#/file/828eda21c4aad115faaf6199ee1bd1fd/detection; classtype:trojan-activity; sid:19700; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TrojanDownloader.Win32.Korklic.A variant outbound connection"; flow:to_server,established; content:"|2F|version|2E|php|3F|mode|3D|boot|26|MyValue|3D 26|code|3D|"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/56e8fb9aa80613e87d42be771867220d/detection; classtype:trojan-activity; sid:19699; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Prosti.AG variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|WinInetHTTP"; fast_pattern:only; http_header; content:"|2F|scr2|2E|php|3F|id|3D|"; metadata:service http; reference:url,www.virustotal.com/#/file/c3ee1a1d4076911fb417ca1bc3be6c0e/detection; classtype:trojan-activity; sid:19698; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spy.Win32.VB.btm variant outbound connection"; flow:to_server,established; content:"/new.html"; http_uri; content:"xz|2E|ub9|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1c2a31a96835479850e221ffed29510308203d4d1497e8c27502f9f70c8c3df8/analysis/; classtype:trojan-activity; sid:19697; rev:7;)
# alert tcp $EXTERNAL_NET 4244 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SdBot.nng inbound connection"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"|23 21|dll|21|"; distance:0; nocase; content:"|3A 2E|msn|2E|msg"; distance:0; nocase; content:"myspace|2D|image|2E|info|2F|viewimage|2E|php|3F 3D|"; distance:0; fast_pattern; nocase; reference:url,www.virustotal.com/en/file/60c6d3c02efbd0dd9c283a61e336ad04e32b5d7a3f20fb1ac831003d08ebc51f/analysis/; classtype:trojan-activity; sid:19696; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.VB.nec variant outbound connection"; flow:to_server,established; content:"/cpa/count.asp"; http_uri; content:"www|2E|fun114|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/52bd83774b90ec704e09391c58742248ce5c997f4c998a7cd4079debc7d58f13/analysis/; classtype:trojan-activity; sid:19695; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Riern.K variant outbound connection"; flow:to_server,established; content:"|B7 B2 B7 95|"; content:"|6A 6A 6A 6A 6A 6A 6A|"; within:7; distance:1; isdataat:316,relative; content:"|6A 6A 6A 6A|"; within:4; distance:312; metadata:service http; reference:url,www.virustotal.com/en/file/d0caa15ba654770384911aef123e17d2b6b9fbf587ef0f1c351fc0f661d7ecd1/analysis/; classtype:trojan-activity; sid:19660; rev:6;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Soleseq.A variant outbound connection"; dsize:1057; content:"|00 00 00 00 00 00 00 00 00 00|"; depth:10; content:!"|00|"; within:40; metadata:service dns; reference:url,www.virustotal.com/en/file/aa8d9885fefcb547e3193cb1ee12b523dcab040c1f7e7d36087f9fcd36412c2a/analysis/; classtype:trojan-activity; sid:19659; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MCnovogic.A variant outbound connection"; flow:to_server,established; content:"/Default.asp?usuario="; nocase; http_uri; content:"|26|x="; within:5; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/438d0355c3203af924166453db66ad8b0ff7aee611848b4dda43a9068bf14958/analysis/; classtype:trojan-activity; sid:19658; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV variant traffic"; flow:to_server,established; content:"/1020"; depth:5; fast_pattern; http_uri; content:"Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A 0D 0A|"; nocase; pcre:"/\x2f1020\d{6,16}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/01631197b30df842136af481372f266ebbd9eabb392d4a6554b88d4e23433363/analysis/; classtype:trojan-activity; sid:19657; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Dropper.Win32.Peace.lh variant outbound connection"; flow:to_server,established; content:"/lol/"; nocase; http_uri; content:"smouch|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/6326d6c7ef0cb0ea88bf64b1c58972fa/detection; classtype:trojan-activity; sid:19656; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Dropper.Agent.IK variant outbound connection"; flow:to_server,established; content:"|2F|update|2F|run|2E|php"; nocase; http_uri; content:"Host|3A 20|www|2E|happycoin|2E|co|2E|kr"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/73ef7fc912ec41436f16e0f705e210dd/detection; classtype:trojan-activity; sid:19655; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Spy.Win32.Zbot.wti variant outbound connection"; flow:to_server,established; content:"|2F|hcfg|2F|habl|2E|bin"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/aaa1860205f2839e06f7dd49d26e0400/detection; classtype:trojan-activity; sid:19654; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Teevsock C variant outbound connection"; flow:to_server,established; content:"/update/users.php"; http_uri; content:"stparam="; distance:0; http_uri; content:"inparam="; distance:0; http_uri; content:"servupdate|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/03b711b3e0309655adda0201ecab22d64e4fbd8610dd9a0060312a589255bade/analysis/; classtype:trojan-activity; sid:19652; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.Win32.Banbra.mcq variant outbound connection"; flow:to_server,established; content:"/appinfo/webstd/novo/procopspro.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/95783bdfbeec3e3a23e75868404d339d1eec7cf075232d5fada762de4d8a553f/analysis/; classtype:trojan-activity; sid:19616; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.IRCBot.kkr variant outbound connection"; flow:to_server,established; flowbits:isset,malware.ircbotkkr.a; content:"JOIN|20 23 21|xd|21 20|r0x"; depth:14; nocase; reference:url,www.virustotal.com/en/file/2c82bb888af7fc4e162418441d0ea2bdadb35f33a21e68798b422a0c22b09006/analysis/; classtype:trojan-activity; sid:19615; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.IRCBot.kkr variant outbound connection"; flow:to_server,established; content:"NICK"; nocase; content:"USER"; distance:0; nocase; content:"|22|hotmail|2E|com|22|"; distance:0; nocase; content:"|22|xd|2E|zbv2dns|2E|com|2E|es|22|"; distance:0; nocase; flowbits:set,malware.ircbotkkr.a; flowbits:noalert; reference:url,www.virustotal.com/en/file/2c82bb888af7fc4e162418441d0ea2bdadb35f33a21e68798b422a0c22b09006/analysis/; classtype:trojan-activity; sid:19614; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rogue Software Registry Cleaner Pro variant outbound connection"; flow:to_server,established; content:"/join1.php"; http_uri; content:"www|2E|registry|2D|activation|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/cc65d6ed6c09efe07e14e619fac760094fe90fdaaf71a3d9888d9eaa7cc99cc9/analysis/; classtype:trojan-activity; sid:19613; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Banload.bvk variant outbound connection"; flow:to_server,established; content:"/photo/tju-15-06-09.jpg"; http_uri; content:"www|2E|ishiharakikaku|2E|co|2E|jp"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/aba43d2f91a1758597c42f59bc1facc3e286b08927c1fc1a14643d26a3c887aa/analysis/; classtype:trojan-activity; sid:19612; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wisscmd.A variant outbound connection"; flow:to_server,established; content:"P2PCMD.Local!"; depth:13; offset:10; nocase; content:"P2PCMD.hello!"; distance:3; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/05f8b6760431c37d93ad7cc3a6690bd57ae83881d5512c8142a7dd28df6833eb/analysis/; classtype:trojan-activity; sid:19608; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9222 (msg:"MALWARE-CNC Win.Trojan.Agent.cws variant outbound connection"; flow:to_server,established; content:"ping|7C|"; depth:5; nocase; pcre:"/ping\x7c\d+\x7c.+\x7c\d\x7c\d\x7c.+\x7c/i"; reference:url,www.virustotal.com/en/file/0499b20ce197e9465fb5675a15410b895c9d664b0fcf8d947fdf120ff0ddcfbf/analysis/; classtype:misc-activity; sid:19597; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 143 (msg:"MALWARE-CNC Poison Ivy variant outbound connection"; flow:to_server,established; content:"|AB BF 09 B7 20 1C 7D 93 58 25 CD D6 A8 C2 AD 6B|"; depth:16; reference:url,www.virustotal.com/en/file/50c44420ff67e8e47fe97524f0541e88b8cc0d787d20443c31df57f4541a601d/analysis/; classtype:misc-activity; sid:19596; rev:5;)
# alert tcp $EXTERNAL_NET 11830 -> $HOME_NET ANY (msg:"MALWARE-CNC Win.Worm.Agent.btxm variant outbound connection IRC"; flow:to_client,established; content:"!http"; nocase; content:"reversep.exe"; nocase; reference:url,www.virustotal.com/en/file/066f24f2379c69ce5273d77fa9939340ccf9042952cf8c05f5a1704daec750f2/analysis/; classtype:trojan-activity; sid:19593; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/url3"; nocase; http_uri; content:"Host|3A| zabasearch.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/066f24f2379c69ce5273d77fa9939340ccf9042952cf8c05f5a1704daec750f2/analysis/; classtype:misc-activity; sid:19592; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Powp.pyv variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A 20|753cda8b05e32ef3b82e0ff947a4a936|0D|"; fast_pattern:only; http_header; content:"userandpc="; http_client_body; content:"admin="; distance:0; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/112984ba819bb826dd3064514afb95106bd257ad7d5e0e8d23f95f6fc8e4d110/analysis/; classtype:trojan-activity; sid:19591; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Savnut.B variant outbound connection"; flow:to_server,established; content:"&id="; nocase; content:"&version"; distance:0; nocase; content:"&vendor="; distance:0; nocase; content:"&do="; distance:0; nocase; content:"&check=chck"; distance:0; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4aad64ad4f2517983051818a818e449599f79ade89af672d0e90af53dcfff044/analysis/; classtype:trojan-activity; sid:19590; rev:7;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sereki.B successful connection"; flow:to_client,established; flowbits:isset,backdoor.sereki; file_data; content:"!chckOK!"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/fe94c7bab1809fa44840d953abd88e22b939823e9991ba27b00c7ce4c490a7d0/analysis/; classtype:trojan-activity; sid:19588; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sereki.B variant outbound connection"; flow:to_server,established; content:"/chck.dat"; http_uri; content:!"User-Agent"; nocase; flowbits:set,backdoor.sereki; flowbits:noalert; metadata:service http; reference:url,www.virustotal.com/en/file/fe94c7bab1809fa44840d953abd88e22b939823e9991ba27b00c7ce4c490a7d0/analysis/; classtype:trojan-activity; sid:19587; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clicker Win.Trojan.Agent.dlg variant outbound connection"; flow:to_server,established; content:"/bc/123kah.php"; http_uri; content:"cpmsky|2E|biz"; fast_pattern:only; http_header; content:"&version="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/en/file/07dd817df54ad6b7d485b732eb6c5a04ed2b940e7deecc6b941090dfa6366391/analysis/; classtype:trojan-activity; sid:19586; rev:8;)
# alert tcp $HOME_NET 113 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Dref.C variant outbound connection - notification"; flow:to_client,established; content:"USERID|20 3A 20|UNIX|20 3A 20|"; reference:url,www.virustotal.com/en/file/f94b972fe97c7c05c0ff7b39088eb50762fda8cf434909cdc99fc15ccb765030/analysis/; classtype:trojan-activity; sid:19585; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Worm.Dref.C variant outbound connection"; flow:to_server,established; content:"PRIVMSG|20 23|irc|20 3A 2E 2E 3A 5B 21 69 72 63 5D 3A 2E 2E|"; depth:26; reference:url,www.virustotal.com/en/file/f94b972fe97c7c05c0ff7b39088eb50762fda8cf434909cdc99fc15ccb765030/analysis/; classtype:trojan-activity; sid:19584; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bumat.rts variant outbound connection"; flow:to_server,established; content:"/zamena_stats/index.php"; http_uri; content:"mysoft-forum|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9171413095f803a3a15ead436565d087f4331d2bd4e0593545b6343e28b0676e/analysis/; classtype:trojan-activity; sid:19583; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1671 (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Apher.gpd variant outbound connection"; flow:to_server,established; content:"|10 00 00 00|Windows"; fast_pattern:only; content:"Mhz"; reference:url,www.virustotal.com/en/file/0fd4609e5dea73cb8fa7b2950bba114f87606aa3961162fa26dcf2e28d5e1031/analysis/; classtype:trojan-activity; sid:19582; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Win32.Apher.gpd variant outbound connection"; flow:to_server,established; content:"3.exe"; http_uri; content:"avzhan1|2E|3322|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/0fd4609e5dea73cb8fa7b2950bba114f87606aa3961162fa26dcf2e28d5e1031/analysis/; classtype:trojan-activity; sid:19581; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Worm.Basun.wsc inbound connection"; flow:to_client,established; content:":.dl http://"; depth:12; nocase; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/328a6352112f513fcae806a1e1e05b0f8cc2e3a2779b96df684a97fe68dd6264/analysis/; classtype:trojan-activity; sid:19580; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Potao.A variant outbound connection"; flow:to_server,established; content:"/task"; nocase; http_uri; content:"&code="; nocase; http_client_body; content:"&sdata="; nocase; http_client_body; content:"&dlen="; nocase; http_client_body; content:"&data="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d7a0f5b47e4fc181a306c276bd2b4b77155e165838451e82d62c1323f2aeac27/analysis/; classtype:trojan-activity; sid:19579; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Dogrobot.E variant outbound connection"; flow:to_server,established; content:"/count.asp?"; http_uri; content:"mac="; distance:0; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; content:"dtime="; distance:0; nocase; http_uri; content:"User-Agent|3A 20|baidu|0D 0A|"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/cba4a3f15a81f093fe935d3c0d8156996284eb5d9c03079103bd52086cc9004c/analysis/; classtype:trojan-activity; sid:19577; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Emold.U variant outbound connection"; flow:to_server,established; content:"/NIU1/get.php"; http_uri; content:"uid="; distance:0; http_uri; content:"Host|3A|"; nocase; http_header; content:"us18|2E|ru"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/601f206a9545ce59a3272012e76f2b90889abe153d6f9e7bfa6aa368e2b67b05/analysis/; classtype:trojan-activity; sid:19575; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection"; flow:to_server,established; content:"|FF|SMB|A2 00|"; content:"|5C 00|k|00|a|00|v|00|3|00|2|00|.|00|e|00|x|00|e|00|"; distance:0; nocase; metadata:service netbios-ssn; reference:url,www.virustotal.com/en/file/5c77bd8023997f5477338ab43e555b38f2214e756af026b2a3b910467ee2d3a3/analysis/; classtype:trojan-activity; sid:19574; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Chiviper.C variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; pcre:"/mac=(?P<q1>[a-zA-Z]{10})&ver=\d\x2e\d[\x0D-\x7E\s]*User-Agent\x3A\s+(?P=q1)\s+$/smi"; metadata:service http; reference:url,www.virustotal.com/en/file/5c77bd8023997f5477338ab43e555b38f2214e756af026b2a3b910467ee2d3a3/analysis/; classtype:trojan-activity; sid:19573; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FFSearch variant outbound connection"; flow:to_server,established; content:"SY4VHK-eedgRAeZm-1E61fJun1dK-U1fKQC"; fast_pattern; http_uri; content:"version=0"; distance:0; nocase; http_uri; pcre:"/User-Agent\x3A[^\n\r]*Microsoft-Symbol-Server/iH"; metadata:service http; reference:url,www.virustotal.com/#/file/09dbd01791f310b9d97378cac6efa185/detection; classtype:trojan-activity; sid:19572; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Perkesh variant outbound connection"; flow:to_server, established; content:"/count/count.asp"; nocase; http_uri; content:"Mac="; depth:4; nocase; http_client_body; content:"&Os="; distance:16; nocase; http_client_body; content:"User-Agent|3A| MyApp|0D 0A|"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/8ae30b001ed9d55cd098505ee8049c5fa64d632e68ed236504bc0972c3e0bbd2/analysis/; classtype:trojan-activity; sid:19569; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Spy.Win32.PerfectKeylogger variant outbound connection"; flow:to_server,established; content:"/1stupload.php"; nocase; http_uri; content:"name=|22|username|22 0D 0A|"; nocase; http_client_body; content:"name=|22|computername|22 0D 0A|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/cb3fc3b5507fce9635522b079576efa11a8a16b1e5dc03aa27c4c5782e6eb433/analysis/; classtype:trojan-activity; sid:19568; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC Win.Trojan.Shark.ag variant outbound connection"; flow:to_server,established; content:"VERSON|3A|"; depth:7; pcre:"/^VERSON\x3a[123]\x7c/i"; reference:url,www.virustotal.com/en/file/c9cd20555d981cd9f577f2addca274984b52f2b084264450e4cc117eaca84fb2/analysis/; classtype:trojan-activity; sid:19557; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Homa variant outbound connection"; flow:to_server,established; content:"/home.a"; http_uri; content:"nossasfotos00833|2E|com|2E|sapo|2E|pt"; fast_pattern:only; http_header; content:"MSIE|20|5.01"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c0b62adad729bc5eeb58684ca899c463b0b64524d14d42388e62e12a0525d2a8/analysis/; classtype:trojan-activity; sid:19556; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Small variant outbound connection"; flow:to_server,established; content:"/App/Ver_MainPro.txt"; fast_pattern:only; http_uri; content:"Ver_MainPro.txt"; nocase; content:"User-Agent|3A 20|Up"; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/a5b57e7d82f77b26753d12c307318a61697280e3c430cfdcc50d995a474e8fef/analysis/; classtype:trojan-activity; sid:19555; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakeav Antivirus Xp Pro variant outbound connection"; flow:to_server,established; content:"/buy/"; http_uri; content:"antivirus-xppro2009|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/b39ad40e95f00f7f89b9e97300979a118700c66e5b9d537db7d3b09937a88d09/analysis/; classtype:trojan-activity; sid:19554; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 5907 (msg:"MALWARE-CNC Win.Worm.Pilleuz variant outbound connection"; content:"|61|"; depth:1; isdataat:!6,relative; reference:url,www.virustotal.com/en/file/4bb0b9162b77f717f03e9049393634e8b01209defd473733cecfdb623378a44d/analysis/; classtype:trojan-activity; sid:19495; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Licum variant outbound connection"; flow:to_server,established; content:"/vx9/dl.exe"; http_uri; content:"utenti|2E|lycos|2E|it"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/3217fcc95bf802a1bdc01c0e1848c712bf5cbfccacd0c1ff7659d9ab191fe58f/analysis/; classtype:trojan-activity; sid:19494; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Windows System Defender variant outbound connection"; flow:to_server,established; content:"/Reports/get_software_data.php"; http_uri; content:"pid="; distance:0; http_uri; content:"TALWinInetHTTPClient"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6ae17dc50fd429f03541876bf5b774b9bf28758294b05a0301ceeaa66d2a93dc/analysis/; classtype:trojan-activity; sid:19492; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Genome.vau variant outbound connection"; flow:to_server,established; content:"/news/Gea2009.exe"; http_uri; content:"xtrahuman|2E|netsons|2E|org"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/9ffe172a7dfdc62c4b17b1cf63698904f2e0d14a12ac044932b6d1c99552d2d9/analysis/; classtype:trojan-activity; sid:19491; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Koceg.B variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20 5F 0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A|"; http_header; content:!"Accept-Encoding|3A|"; http_header; content:!"Connection|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/80d8cafe09031267d68a354b0e42d495/detection; classtype:trojan-activity; sid:19490; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DeAlfa.fa variant outbound connection"; flow:to_server,established; content:"|2F|k2j|2F|update|2E|php"; nocase; http_uri; content:"os="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/befcbf177c6677cfbe13dd9f73585ba4/detection; classtype:trojan-activity; sid:19489; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Failnum.A variant outbound connection"; flow:to_server,established; content:"/check.php"; nocase; http_uri; content:"p1|3D|"; nocase; http_uri; content:"p2|3D|"; nocase; http_uri; pcre:"/\x2Fcheck\x2Ephp\x3Fp1\x3D\d+?\x26p2\x3D[A-Za-z]+?\x26n\x3D/Ui"; metadata:service http; reference:url,www.virustotal.com/#/file/c00e51fba9f3b275436ce22c57772ca5/detection; classtype:trojan-activity; sid:19488; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.kih variant outbound connection"; flow:to_server,established; content:"|2F|robo|2E|php|3F|"; nocase; http_uri; content:"r|3D|"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/2b95518f11fde339183165a0a78045b1/detection; classtype:trojan-activity; sid:19487; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; dsize:<250; content:"|00 00 00|"; offset:6; content:"|00 00 78 9C|"; within:6; distance:1; pcre:"/^[\w\x40]+.{1}\x00\x00\x00.{2}\x00\x00\x78\x9c/smi"; metadata:impact_flag red; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:19484; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Reload.fy variant outbound connection"; flow:to_server,established; content:"tipo|3D|"; depth:5; nocase; http_client_body; content:"cli|3D|"; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.virustotal.com/#/file/73e9a49811ca4facaa2b90e95bd46b50/detection; classtype:trojan-activity; sid:19483; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 7328 (msg:"MALWARE-CNC Email-Worm.Win32.Agent.bx variant outbound connection"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; content:"|70 00 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:4; reference:url,www.virustotal.com/#/file/5206cedf090c64d5d72d06cd5701d516/detection; classtype:trojan-activity; sid:19481; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Net-Worm.Win32.Piloyd.m variant outbound connection - request html"; flow:to_server,established; content:"|2F|msn|2F|163|2E|htm"; http_uri; content:"If-None-Match"; fast_pattern:only; http_header; content:"If-Modified-Since"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/13aec81e42625335dbbe845426f2db2a/detection; classtype:trojan-activity; sid:19479; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Taterf.B variant outbound connection"; flow:to_server,established; content:"|2F|xmfx|2F|help1|2E|rar"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/5c070d20113dab2037cb0cb67f4fd47b/detection; classtype:trojan-activity; sid:19478; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Krap.af variant outbound connection"; flow:to_server,established; content:"|2F|btn|2F|Mix|2F|cfg|2E|bin"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/9622D3A187A82BE318E72990DFB5723F/detection; classtype:trojan-activity; sid:19477; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Exploit.Win32.SqlShell.r variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|VBTagEdit"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/ab319ece8a3622ef3010281dc51371bc/detection; classtype:trojan-activity; sid:19476; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-Clicker.Win32.Vesloruki.ajb variant outbound connection"; flow:to_server,established; content:"/nopmulti/tds2.php"; fast_pattern:only; http_uri; content:"Host|3A 20|saloongins.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6e8311fbfe57a0419025eb1d15df339bb200b5aca8ccd9b36410ba19d1c29015/analysis/; classtype:trojan-activity; sid:19457; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Packed.Win32.Klone.bj variant outbound connection"; flow:to_server,established; content:"/progs/"; nocase; http_uri; content:".php?adv=adv"; within:30; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; distance:4; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/b8fa4facba2c4fd358b6c9897c24b8f3d60503a24309b0166203228b1058906e/analysis/; classtype:trojan-activity; sid:19456; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.AutoRun.aw variant outbound connection"; flow:to_server,established; content:"|2F|List|2E|txt"; nocase; http_uri; content:"Host|3A 20|www|2E|5lyess|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=02bfd91521062b301059d44b4ae1a a24a2bae7e7dd0f6c41e3e5e317e6467162-1245096571; classtype:trojan-activity; sid:19455; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PWS.Win32.QQPass.IK variant outbound connection"; flow:to_server, established; content:"/ceshi/qq.txt"; fast_pattern:only; http_uri; content:"Host|3A| 0519qq.cn"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6fa8a15d6f127e8b2702e77eb618feaab9a68053f5fa44daa1bbdea66de2ca3d/analysis/; classtype:trojan-activity; sid:19454; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Litmus.203 variant outbound connection"; flow:to_server,established; content:"JOIN|20|#radarr|20|dalar"; depth:18; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/dba3ad588abc952a6bedf1ac225b011d78bf2f391a33e1fd6be83ad37cefa51c/analysis/; classtype:trojan-activity; sid:19435; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fujacks.aw variant outbound connection"; flow:to_server,established; content:"/sd/02ceo.jpg"; http_uri; content:"record|2E|orangebeartv|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/6617b6ebcfb381f0b3473e77ca67cb26db176a33d682b236154ac73e545a19b9/analysis/; classtype:trojan-activity; sid:19433; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxy Win.Trojan.Dosenjo.C variant outbound connection"; flow:to_server,established; content:"/l.php"; http_uri; content:"cashingDeny="; distance:0; http_uri; content:"winver="; distance:0; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22e5542569911f89a87f010b4219a59e84fd9855bafd41a7e0cc3c391cd0aaa4/analysis/; classtype:trojan-activity; sid:19429; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Adload.BG variant outbound connection"; flow:to_server,established; content:"/modlueol/"; http_uri; content:"User-Agent|3A 20|Mozilla|2F|4.0|20|(compatible|3B 20|MSIE|20|6.0"; fast_pattern:only; http_header; content:!"Referrer"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/5e46c2140d287cd79b2cf84e41e76e640855daacb5337f95521847cbe360c062/analysis/; classtype:trojan-activity; sid:19428; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.amjz variant outbound connection"; flow:to_server,established; content:"/myl/bb.php"; http_uri; content:"papaanarhia|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/50fc08ed123d724fa41da19510e615fc28fc96288a65fd1fd18b876f16d2ca4b/analysis/; classtype:trojan-activity; sid:19427; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Crypter.i variant outbound connection"; flow:to_server,established; content:"/showNews.asp"; http_uri; content:"www|2E|sealonline|2E|com|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/75e30dade4ff836fbf2b4fc4afc83d7303273258fda1161dc4700254222d5609/analysis/; classtype:trojan-activity; sid:19426; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"MALWARE-CNC vsFTPd 2.3.4 backdoor connection"; flow:to_server, established; content:"USER"; depth:4; nocase; content:"|3A 29|"; within:50; fast_pattern; pcre:"/^USER[^\n]+\x3a\x29/smi"; metadata:service ftp; reference:bugtraq,48539; classtype:trojan-activity; sid:19415; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Ozdok variant outbound connection"; flow:to_server,established; content:"|DB FD 37 7F 11 01 B9 E5|"; depth:8; offset:2; reference:url,www.virustotal.com/en/file/c523ea7ca25a68513a35e292e64d76e0126b1f6b6805e0b08ca35efbd3c5c383/analysis/; classtype:trojan-activity; sid:19404; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC P2P Worm.Win32.Malas.r variant outbound connection"; flow:to_server,established; content:"a_id="; http_uri; content:"domainname="; distance:0; http_uri; content:"User|2D|Agent|3A 20|KuKu"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/07859ae4e03aa55db98454ca9a9728cedfbf3f3c71f878ef28f6e6efe082047f/analysis/; classtype:trojan-activity; sid:19402; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6664:6669 (msg:"MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection"; flow:to_server,established; content:"JOIN"; nocase; content:"#rbase01"; within:32; nocase; content:"225548"; within:32; reference:url,www.virustotal.com/en/file/c02e06d271af4b93a4cc9c9ffc565ff202b64c5b1c7a4d19a81348d478377341/analysis/; classtype:trojan-activity; sid:19401; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6664:6669 (msg:"MALWARE-CNC Win.Worm.Sddrop.D variant outbound connection"; flow:to_server,established; content:"NICK"; content:"USER|20|"; distance:0; content:"|22|yahoo.com|22 20 22|127.0.0.1|22|"; distance:0; fast_pattern; nocase; content:"PONG 3BB33"; reference:url,www.virustotal.com/en/file/c02e06d271af4b93a4cc9c9ffc565ff202b64c5b1c7a4d19a81348d478377341/analysis/; classtype:trojan-activity; sid:19400; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Email Worm Win32.Zhelatin.ch variant outbound connection"; flow:to_server,established; content:"/sync/Sync.php"; http_uri; content:"rvz1="; distance:0; http_uri; content:"rvz2="; distance:0; http_uri; content:"tintraffic|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/10f1a61a6e07dce5a51b45d232c9a6ac75729c7cece4d8b5c33ffe6340c33a51/analysis/; classtype:trojan-activity; sid:19399; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BAT.Shutdown.ef variant outbound connection"; flow:to_server,established; content:"/4.htm"; http_uri; content:"www|2E|cy074|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/d1750687599f51e4b61495fc74b5df2ee287c16fcbfa9c1859724df851a2c075/analysis/; classtype:trojan-activity; sid:19398; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UltimateDefender.xv variant outbound connection"; flow:to_server,established; content:"/s/exx.php"; http_uri; content:"getgreatguide|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/3c1d7b21900ca97c1c2ad9e553de4e093e4e91b0376c53b221b15348a2a76b83/analysis/; classtype:trojan-activity; sid:19397; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Beastdoor.b variant outbound connection"; flow:to_server,established; content:"Subject|3A 20|Beast"; fast_pattern:only; content:"boundary=|22|bla|22|"; content:"Victim|20|Name"; distance:0; content:"Victim|20|IP|2D|"; distance:0; metadata:service smtp; reference:url,www.virustotal.com/en/file/e129659bd0c8d09f024623db134195999d16a434119cb2c01dc031adba3ff25f/analysis/; classtype:trojan-activity; sid:19396; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.Monkif.J inbound connection - dest ip infected"; flow:to_client,established; file_data; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF DB 00 43 00 05 03 04 04 04 04 04|"; depth:40; metadata:service http; reference:url,www.virustotal.com/en/file/0dbd6d5e2c1cd886b29c1507946ecf4d805d84a4e311c254ee5af2ee3f533411/analysis/; classtype:trojan-activity; sid:19395; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tidserv variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/generator"; fast_pattern; nocase; http_uri; content:!"User-Agent"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/2d916aa9baec86a12e8d0d7232d30b7ef545a1f5b6e7df17dc98c8e186d198ce/analysis/; classtype:trojan-activity; sid:19394; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.IC variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/3dll3.php"; fast_pattern; http_uri; content:"Content-Length|3A 20|3"; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/4bc2fd163e12113bc0a688d382c4bc017bef1876f21ee1b7217145c42bdd201f/analysis/; classtype:trojan-activity; sid:19371; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carberp.D variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/key.html"; nocase; http_uri; content:"id=lucky0"; fast_pattern; nocase; http_client_body; content:"&type="; distance:0; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/a2b213dcb64e647619795e2f3cebbbbe833dbe6a043f80b3bb97bf559aa73f28/analysis/; classtype:trojan-activity; sid:19370; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carberp.D variant outbound connection"; flow:to_server,established; content:"/cfg/stopav.psd"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/a2b213dcb64e647619795e2f3cebbbbe833dbe6a043f80b3bb97bf559aa73f28/analysis/; classtype:trojan-activity; sid:19369; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carberp.D variant outbound connection"; flow:to_server,established; content:"/cfg/miniav.psd"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/a2b213dcb64e647619795e2f3cebbbbe833dbe6a043f80b3bb97bf559aa73f28/analysis/; classtype:trojan-activity; sid:19368; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Vaubeg.A variant outbound connection"; flow:to_server,established; content:".php?rst="; nocase; http_uri; content:"|0A|User-Agent|3A 20|asInvoker|0D|"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/97a9d8812e88b94f0b5151b3bf8c009bd7f6b0f7eb4a26e1e702300a08a9aa6f/analysis/; classtype:trojan-activity; sid:19367; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HXWAN.A variant outbound connection"; flow:to_server,established; content:"HXWAN"; depth:5; content:"|00 00|"; within:2; distance:2; reference:url,www.virustotal.com/en/file/ef937aabf280bc4990b74cadc05d130c1dd711398991e64eb2a6ae184518e371/analysis/; classtype:trojan-activity; sid:19366; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dorkbot.B variant outbound connection"; flow:to_server,established; content:"JOIN|20 23|asiksi|23|"; nocase; reference:url,www.virustotal.com/en/file/4c2c745bde3ada3c266d9d341c52aefc4b3a79dfc42e269c6af04119e6f13aa7/analysis/; classtype:trojan-activity; sid:19363; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dcbavict.A variant outbound connection"; flow:to_server,established; content:"/fileext.php?h="; nocase; http_uri; content:"&rand="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/c3acb6cda3a8ea8f3a7960e808add0e59a9a03dbca285cd75bdddfb37b2353d3/analysis/; classtype:trojan-activity; sid:19361; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dcbavict.A variant outbound connection"; flow:to_server,established; content:"/make_status.php?h="; nocase; http_uri; content:"&r="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/c3acb6cda3a8ea8f3a7960e808add0e59a9a03dbca285cd75bdddfb37b2353d3/analysis/; classtype:trojan-activity; sid:19360; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dcbavict.A variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/abcd.php"; http_uri; content:"|0D 0A|File|3A 20|"; depth:100; offset:15; nocase; content:"|0D 0A|Victim|3A 20|"; within:64; distance:1; fast_pattern; nocase; metadata:service http; reference:url,www.virustotal.com/en/file/c3acb6cda3a8ea8f3a7960e808add0e59a9a03dbca285cd75bdddfb37b2353d3/analysis/; classtype:trojan-activity; sid:19359; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.XYTvn.A variant outbound connection"; flow:to_server,established; content:"XYTvn"; depth:5; fast_pattern; content:"|00 00|"; within:2; distance:2; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/be70ce81a9c241473d21c4d5a2250c1cb37b7bdbcea3bcf2ecf15742312c352a/analysis/; classtype:trojan-activity; sid:19358; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Sohanad.ila variant outbound connection"; flow:to_server,established; content:"/poojasharma/setting.ini"; http_uri; content:"User-Agent|3A 20|AutoIt"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ec3aeafcc48aa50ef2a2f51ce9d50bd3a8d0989dca85966a20552527540cc5ac/analysis/; classtype:trojan-activity; sid:19357; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fibbit.ax variant outbound connection"; flow:to_server,established; content:".php?id="; nocase; http_uri; content:"&session="; distance:0; nocase; http_uri; content:"&v="; distance:0; nocase; http_uri; content:"&name=botnet"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.securelist.com/en/descriptions/10322834/Trojan-Banker.Win32.Fibbit.ax; classtype:trojan-activity; sid:19356; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.bkhu variant outbound connection"; flow:to_server,established; content:".php?codigo="; http_uri; content:"id="; distance:0; nocase; http_uri; content:"computador="; distance:0; nocase; http_uri; content:"usuario_windows="; distance:0; fast_pattern; nocase; http_uri; content:"User-Agent|3A 20|HTTP Client"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/77d739bbceea4008e90b6431d9836fbe643ef4c47788b4fd9fc82d7f07f22889/analysis/; classtype:trojan-activity; sid:19353; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"MALWARE-CNC Win.Trojan.Small.D variant outbound connection"; flow:to_server,established; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:url,www.virustotal.com/en/file/17e7cc85df9e19f7c51078e866700488e8ef53e75642faf2be2d55061239f293/analysis/; classtype:trojan-activity; sid:19352; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clicker Win.Trojan.Hatigh.C variant outbound connection"; flow:to_server,established; content:"/tmp/sh.php"; http_uri; content:"quikup|2E|info"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30c6c5561d610ccbd22e88b8265aaa4bd7e17a8e139c7e9aedc645c85ef40910/analysis/; classtype:trojan-activity; sid:19351; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fakeav Vaccineclear variant outbound connection"; flow:to_server,established; content:"/pay/result.php"; http_uri; content:"www|2E|vaccineclear|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/57171f8da1558e6dfbe639efe72a81e64bd87ce6c97ec8ea6495cf17844efcb2/analysis/; classtype:trojan-activity; sid:19349; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader Win.Trojan.FraudLoad.emq variant outbound connection"; flow:to_server,established; content:"/fff9999.php"; http_uri; content:"mgjmnfgbdfb|2E|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3794798f5eeb53dd71001e4454f006c871eb7c9085e1bf5336efa07b70d7b38d/analysis/; classtype:trojan-activity; sid:19348; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1868 (msg:"MALWARE-CNC Win.Trojan.Poison.banr variant outbound connection"; flow:to_server,established; content:"USER|20|"; content:"|20 2A 20 30 20 3A|"; distance:0; pcre:"/^USER\x20(XP|98|95|NT|ME|WIN|2K3)\x2d\d+\x20\x2a\x20\x30\x20\x3a/mi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.threatexpert.com/report.aspx?md5=90eebe2201ea28a6c697dc5984b59ec1; classtype:trojan-activity; sid:19347; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Additional Guard variant outbound connection"; flow:to_server,established; content:"/index.php"; http_uri; content:"update2|2E|additionalguard|2E|net"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/ea0f2ded2ddb0fad4df8074e428c8c523eb994888a0c1d77a20347cf6d13518a/analysis/; classtype:trojan-activity; sid:19346; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC REAnti variant outbound connection"; flow:to_server,established; content:"/report"; http_uri; content:"www|2E|reanti|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/fe0ccfc5d56abfac52584c4d3afea2c814e7682e945baafce3c82c78fffcbca8/analysis/; classtype:trojan-activity; sid:19345; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC AntiMalware Pro variant outbound connection"; flow:to_server,established; content:"/join1.php"; http_uri; content:"www|2E|anti-malware-pro|2E|org"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/07f93b61e2aa2203393f0e63d96e31625ebfb7571752e88f46b34e4a9e7f9066/analysis/; classtype:trojan-activity; sid:19344; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adware Pro variant outbound connection"; flow:to_server,established; content:"/join"; http_uri; content:"www|2E|adwarepro|2D|site|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3e9559961ea43b3f603febf342b72809f03f79f3b7e9c56bfdc49fb9732d52ef/analysis/; classtype:trojan-activity; sid:19343; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adware Professional variant outbound connection"; flow:to_server,established; content:"/purchase/index.php"; http_uri; content:"www|2E|adwareprofessional|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/1b27b8c81e763d1eeb61a8ed054575a476f4688b9c3907283492786d1af2fc89/analysis/; classtype:trojan-activity; sid:19342; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm MSIL.AiO.a variant outbound connection"; flow:to_server,established; content:"/Interop.MessengerAPI.dll"; http_uri; content:"pcquad|2E|de"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/321f819452c61857f3eea280a611e04eda7449c9120441745ab1f54629807926/analysis/; classtype:trojan-activity; sid:19341; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakeav TREAntivirus variant outbound connection"; flow:to_server,established; content:"/buy"; http_uri; content:"www|2E|treav|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d067f84af92b2cff81412f4dac29369134a3ffdfb3d110288e9bda47cd7904b0/analysis/; classtype:trojan-activity; sid:19340; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper Win.Trojan.Agent.alda variant outbound connection"; flow:to_server,established; content:"/mydown.asp"; http_uri; content:"ver="; distance:0; http_uri; content:"tgid="; distance:0; http_uri; content:"address="; distance:0; http_uri; content:"www|2E|qqcjidc|2E|cn"; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4d875250872a1c6ec7d47be59ed7d244c2b9ce06a65ff251763e74adb5e2641d/analysis/; classtype:trojan-activity; sid:19339; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Clampi variant outbound connection"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\s+\/[A-Z0-9]{16}\s+/Ri"; content:"|0D 0A 0D 0A|o="; depth:256; fast_pattern; pcre:"/^[iacdu](&s=[^&]*)?&b=/Ri"; metadata:service http; reference:url,www.virustotal.com/en/file/858aa58a910e47453f220c511fb8044592a55b4ef081ff86c2193ff65b8c6707/analysis/; classtype:trojan-activity; sid:19332; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adclicker Win.Trojan.Zlob.dnz variant outbound connection"; flow:to_server,established; content:"/bc/123kah.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/90f352d7d96b53f20e4b539b55e39615ee852c6bbc6143d4cea7923ec265462e/analysis/; classtype:trojan-activity; sid:19331; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adclicker Win.Trojan.Zlob.dnz variant outbound connection"; flow:to_server,established; content:"/bc/ip.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; content:"opera"; distance:0; http_header; content:"Host|3A|"; nocase; http_header; content:"ads|2E|gooochi|2E|biz"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/90f352d7d96b53f20e4b539b55e39615ee852c6bbc6143d4cea7923ec265462e/analysis/; classtype:trojan-activity; sid:19330; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Faceback.exe variant outbound connection"; flow:to_server,established; content:"/v/we-popup.php?uid="; fast_pattern; nocase; http_uri; content:"cfgid="; distance:0; nocase; http_uri; content:"v="; distance:0; nocase; http_uri; content:"kw="; distance:0; nocase; http_uri; content:"country="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/1bf1f67b6ae589d0e843828db712d6eac6b02420f8e5e184234c2dda3bda732d/analysis/; classtype:trojan-activity; sid:19329; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PointGuide variant outbound connection"; flow:to_server,established; content:"/cont/proid.txt"; http_uri; content:"reward|2E|pointguide|2E|kr"; distance:0; fast_pattern; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2ef41c20bdadd9d85da91a68639f8ea8d733537ecbba7280ecbcbb31bfa3b2fe/analysis/; classtype:trojan-activity; sid:19328; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.aah variant outbound connection"; flow:to_server,established; content:"/shopsoo.htm"; http_uri; content:"www|2E|m77|2E|cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/238e9bb7856323e245b1eca5b01f961ab1c65f1faa30f25b415eed1ac0802328/analysis/; classtype:trojan-activity; sid:19312; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen3 variant outbound connection"; flow:to_server,established; content:"/load.php"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"http|3A 2F 2F|www|2E|virscan|2E|org|2F|report|2F|"; distance:0; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/3ef7b8c8007a10b9992f36967bf25890ef73e086180f2de0f10ce941339730a2/analysis/; classtype:trojan-activity; sid:19310; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyEye variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/_cp/gate.php"; fast_pattern:only; http_uri; content:!"Referrer"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d77c78e2072153e437f854aa3d677d8b985680d1b58fa48089a93889befac0c2/analysis/; classtype:trojan-activity; sid:19164; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dropper Win.Trojan.Cefyns.A variant outbound connection"; flow:to_server,established,only_stream; content:"tsc.php?&ses="; nocase; http_uri; content:"&200="; distance:0; http_uri; content:"&crc="; distance:0; nocase; http_uri; content:"&cv="; distance:0; nocase; http_uri; detection_filter:track by_src, count 5, seconds 60; metadata:service http; reference:url,www.malware-control.com/statics-pages/64df7e0afed582dd98dfb4dbea4aaaaf.php; classtype:trojan-activity; sid:19123; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakePlus variant outbound connection"; flow:to_server,established; content:"|2F|exe_in_db|2E|php|3F|uid|3D|"; nocase; http_uri; content:"|26|aid|3D|acc"; nocase; http_uri; content:!"Accept"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f28657edcfc7f11ce00f8b8a1c4f6e64/detection; classtype:trojan-activity; sid:19062; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ponmocup.A variant outbound connection"; flow:to_server,established; content:"|2F|update|2F|utu|2E|dat"; fast_pattern:only; http_uri; content:!"|0A|Accept"; nocase; http_header; pcre:"/^Host.*\x2Ecn/Hmi"; metadata:service http; reference:url,www.virustotal.com/#/file/3bd4cd629c595df5f78e7ad5c5e97c04/detection; classtype:trojan-activity; sid:19060; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Faketube update request"; flow:to_server,established; content:"User-Agent|3A| Autoit"; nocase; http_header; content:"|2F 7E|ntproduc|2F|update"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/35cc362bd4c354d0a27691a39f7d9b5a157f7dd0a0f286d99d64608ab8bc99a3/analysis/; classtype:trojan-activity; sid:19058; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 99 (msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528/analysis/; classtype:trojan-activity; sid:19057; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QQFish variant outbound connection"; flow:to_server,established; content:"AddSetup|2E|asp|3F|id|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d8ea9a2f510ed38a95690bca1ae536d2f8f9bda4fd2715ebba261274a5837528/analysis/; classtype:trojan-activity; sid:19056; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gosik.A registration"; flow:to_server,established; content:"|2F|connect|2E|php|3F|action|3D|getcomm|26|"; nocase; http_uri; content:!"|0A|Accept|3A|"; nocase; http_header; content:!"|0A|User-Agent|3A|"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/95c5614d629f06ca58e1743ccede027bc16c028344a8d004b4a48a4c3a9382dd/analysis/; classtype:trojan-activity; sid:19055; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 85 (msg:"MALWARE-CNC Win.Trojan.Sisron.nelo variant outbound connection"; flow:to_server,established; content:"GET|20|"; depth:4; content:"|2F|state|2E|php|3F|"; within:128; nocase; content:"action|3D|install"; distance:0; nocase; content:"NetLog2"; within:512; nocase; pcre:"/^User-Agent\x3A[^\x0D\x0A]*?NetLog2/mi"; reference:url,www.virustotal.com/#/file/b4afa1df1debb6c5a8ece7d0a4793bed/detection; classtype:trojan-activity; sid:19054; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Nusump.A variant outbound connection"; flow:to_server,established; content:"|2F|index|2E|php|3F|"; nocase; http_uri; content:"|26|co|3D|"; nocase; http_uri; content:"|26|us|3D|"; nocase; http_uri; content:"|26|dt|3D|"; nocase; http_uri; content:!"|0A|Accept"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/42c5002aefb925a00093f764ceb41ecdea814382f94525ec7a662956dff35620/analysis/; classtype:trojan-activity; sid:19053; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Httpbot.qdc variant outbound connection"; flow:to_server,established; content:"|2E|php|3F|getCmd|26|id|3D|"; nocase; http_uri; content:!"|0A|Accept|3A|"; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/baa26783d7e5af6e3336a20e83d5a018737971a322807936a3f8d5ee48fb261c/analysis/; classtype:trojan-activity; sid:19052; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra.fxe variant outbound connection"; flow:to_server,established; content:"|2F|enviador|2E|php"; nocase; http_uri; content:"he|3D|"; nocase; http_client_body; content:"|26|topo|3D|"; nocase; http_client_body; content:"|26|msg|3D|PC|25|20|3A 25|20"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/50d4c5625926303783ca4c8cbd96fee4/detection; classtype:trojan-activity; sid:19050; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Gigade variant outbound connection"; flow:to_server,established; content:"x0|0C|"; depth:3; content:"|0C|ADS|0C|"; within:5; distance:3; content:"|0C|"; within:25; content:"|0C|"; within:25; content:"|0C|"; within:25; metadata:impact_flag red; reference:url,virustotal.com/en/file/5cb874e5ef2a8613123284b66e9fb51387a14528b50e4a9aac4fd613dfc9bc1a/analysis/; classtype:trojan-activity; sid:19049; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkness variant outbound connection"; flow:to_server,established; content:"|2F|index|2E|php|3F|uid|3D|"; fast_pattern; nocase; http_uri; content:"|26|ver|3D|"; within:5; distance:6; nocase; http_uri; pcre:"/ver=\S{2}\s(XP|2000|2003|Vista)/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/34d0e0d5485177b0ccdb3cb86fab37a9/detection; classtype:trojan-activity; sid:19048; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos.XQ variant outbound connection"; flow:to_server,established; content:"/archiveFC.php"; nocase; http_uri; content:"conteudo|3D|"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/3fe9417fecd385b994f4a19ba38ad5f8/detection; classtype:trojan-activity; sid:19045; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.ACQE variant outbound connection"; flow:to_server,established; content:"|2F|arquivo|2E|php"; nocase; http_uri; content:"email|3D|"; nocase; http_client_body; content:"|26|subject|3D|Infectou"; nocase; http_client_body; content:"|26|message|3D|"; nocase; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/8d6249ad0e4b555f08aa3e1116be26c3/detection; classtype:trojan-activity; sid:19042; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carberp.C variant outbound connection"; flow:to_server,established; content:"|2F|cfg|2F|stopav|2E|plug"; fast_pattern:only; http_uri; content:!"Accept|3A|"; nocase; http_header; content:!"Content-Type|3A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/a0219a03c93cb6fc4e94669ce8f967fb/detection; classtype:trojan-activity; sid:19041; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection"; flow:to_server,established; flowbits:isset,trojan.linkbot_alr; content:"JOIN"; depth:4; content:"|23|balengor"; within:32; nocase; reference:url,www.virustotal.com/en/file/5c3129df82105d51cf621900710e53989442b8c8f692302faa08a130861c43d5/analysis/; classtype:trojan-activity; sid:19040; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Linkbot.alr variant outbound connection"; flow:to_server,established; content:"USER|20|"; depth:5; pcre:"/^USER\s(\S+)\s\1\s\1\s\x3A/m"; flowbits:set,trojan.linkbot_alr; flowbits:noalert; reference:url,www.virustotal.com/en/file/5c3129df82105d51cf621900710e53989442b8c8f692302faa08a130861c43d5/analysis/; classtype:trojan-activity; sid:19039; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 143 (msg:"MALWARE-CNC Win.Trojan.Jzzer.A variant outbound connection"; flow:to_server,established; content:"MSG 5 N 130|0D 0A|"; depth:13; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/279e27c133e0375b42a640dae66eecf5e42a1ec001c68eb68bcbdf36c3cbf09e/analysis/; classtype:trojan-activity; sid:19038; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:6667 (msg:"MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection"; flow:to_server,established; flowbits:isset,trojan.ircbrute_i; content:"JOIN|20 23 23|"; depth:7; nocase; content:"|23 23|"; within:8; distance:2; pcre:"/^JOIN\s\x23\x23\S{2,6}\x23\x23\s?\x0D\x0A/mi"; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/6395a0272db84948018dc2e0c87e23d257860be59c10e41ef543683e4a58524a/analysis/; classtype:trojan-activity; sid:19037; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:6667 (msg:"MALWARE-CNC Win.Trojan.IRCBrute.I variant outbound connection"; flow:to_server,established; content:"NICK|20 7B|"; depth:6; nocase; content:"|7D 0D 0A|"; within:32; pcre:"/^NICK\s\x7B\S{2,4}\x5C\S{2,6}\x5C\d{1,7}\x7D\x0D\x0A/mi"; flowbits:set,trojan.ircbrute_i; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/6395a0272db84948018dc2e0c87e23d257860be59c10e41ef543683e4a58524a/analysis/; classtype:trojan-activity; sid:19036; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"MALWARE-CNC Win.Trojan.Vilsel.baqb variant outbound connection"; flow:to_server,established; content:"webbd2011"; depth:64; offset:10; content:"webbd2011"; distance:0; reference:url,www.virustotal.com/en/file/86ed55a4a1785b562d6fc5ced50cc0445d6ec8e213c43120b20da8897edd5855/analysis/; classtype:trojan-activity; sid:19035; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot.qd variant outbound connection"; flow:to_server,established; content:"be/stat.php"; http_uri; content:"hack|2D|off|2E|ru"; fast_pattern:only; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=6469b30499f87ac3b223783ffb6e5500; classtype:trojan-activity; sid:19034; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cornfemo variant outbound connection"; flow:to_server,established; content:"/inetcreative/"; http_uri; content:"suggestbar|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1de269661ccafaba5e955f83a9007418affad274932e42e3f6d3d592ad041a67/analysis/; classtype:trojan-activity; sid:19033; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cornfemo variant outbound connection"; flow:to_server,established; content:"/inetcreative/"; http_uri; content:"newdonkey|2E|net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/1de269661ccafaba5e955f83a9007418affad274932e42e3f6d3d592ad041a67/analysis/; classtype:trojan-activity; sid:19032; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC iPRIVACY variant outbound connection"; flow:to_server,established; content:"/iprivacy/update.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/2fac1b6ca197c7d088de1f11fd655abe72fb3239c624aed4add94e246b9f59cf/analysis/; classtype:trojan-activity; sid:19031; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uloadis variant outbound connection"; flow:to_server,established; content:"admin/lod.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/4cefab420d534549b1042e9fcc9bc6fbf74eae8f99059fee577d25736a6fc64c/analysis/; classtype:trojan-activity; sid:19030; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PcClient.AI variant outbound connection"; flow:to_server,established,only_stream; content:"/zxj/ps/hei/ps.jpg"; fast_pattern:only; http_uri; detection_filter:track by_src, count 1, seconds 60; metadata:service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient; classtype:trojan-activity; sid:19029; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mailbot variant outbound connection"; flow:to_server,established; content:"/JQ4vpI/vq.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/689cf179adaadecbaf55858125ebdc01ce1f7d75d87922542248cd40637e43aa/analysis/; classtype:trojan-activity; sid:19028; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BrowserModifier.Win32.Kerlofost variant outbound connection"; flow:to_server,established; content:"/adv.php"; http_uri; content:"misc="; distance:0; http_uri; content:"keywords="; distance:0; http_uri; content:"host="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/462ab6bcadb48ce27e1141e6ff29ae1e13c2e3b93f27bff1a14cd1d15545421a/analysis/; classtype:trojan-activity; sid:19027; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Banker.Win32.Bancos.etf variant outbound connection"; flow:to_server,established; content:"/ad487/snd.php"; http_uri; content:"lcp="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/6b753c052059e09bc6ae8f6988303efaa7baf51a8088540e6c38fe0e3a780ee3/analysis/; classtype:trojan-activity; sid:19025; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.StartPage variant outbound connection"; flow:to_server,established; content:"/c.jpg"; http_uri; content:"Host|3A| bslk|2E|xorg|2E|pl"; fast_pattern; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/5453b438b7412055bc01f825bae43563f9c657f98c776e08c57aeec2ff15b4e5/analysis/; classtype:trojan-activity; sid:19024; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6664:6669 (msg:"MALWARE-CNC IRC.Zapchast.zwrc variant outbound connection"; flow:to_server,established; content:"ISON"; nocase; content:"adrian"; distance:0; nocase; content:"ctrldel"; distance:0; fast_pattern; nocase; reference:url,www.virustotal.com/en/file/821950d09fda78fd05a7f4e9f945b38da2437833e2fe4ab8a2e76b97851adc49/analysis/; classtype:trojan-activity; sid:19023; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection"; flow:to_server,established; flowbits:isset,FraudLoad; content:"/admin/cgi-bin/get_domain.php"; http_uri; content:"type=download"; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=038aef0a28360f6127f76567b7410459; classtype:trojan-activity; sid:19022; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Win32.FraudLoad.dzm variant outbound connection"; flow:to_server,established; content:"/admin/cgi-bin/get_domain.php"; http_uri; content:"type=site"; distance:0; nocase; http_uri; flowbits:set,FraudLoad; flowbits:noalert; metadata:service http; reference:url,virustotal.com/file-scan/report.html?id=038aef0a28360f6127f76567b7410459; classtype:trojan-activity; sid:19021; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacBack Win.Trojan.variant outbound connection"; flow:to_server, established; content:"/cgi-mac/2wmcheckdir.cgi"; fast_pattern; http_uri; content:"POST"; http_method; content:"User-Agent|3A 20|0PERA|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186/analysis/; classtype:trojan-activity; sid:19019; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacBack Win.Trojan.variant outbound connection"; flow:to_server, established; content:"/cgi-mac/whatismyip.cgi"; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186/analysis/; classtype:trojan-activity; sid:19018; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacBack Win.Trojan.variant outbound connection"; flow:to_server, established; content:"/CurlUpload"; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186/analysis/; classtype:trojan-activity; sid:19017; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacBack Win.Trojan.variant outbound connection"; flow:to_server, established; content:"/checkur1"; http_uri; content:"User-Agent|3A 20|curl"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f78f399d4c2328be8992bc1c02334f7acea99f3db418a983591670109de49186/analysis/; classtype:trojan-activity; sid:19016; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Win32/Trojanclicker"; flow:to_server,established; content:"getupdate.php?id1="; nocase; http_uri; content:"&guid="; distance:0; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; content:"&dom="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/e551968dcdb1b571c4709811666cd8e4a9b4bda5a9872aedcc0143a43bc8b59f/analysis/; classtype:trojan-activity; sid:18984; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WinSpywareProtect variant outbound connection"; flow:to_server,established; content:"/?domain=winspywareprotection.com"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/eb5a561fbd2842fb9efd011a51edce3378767631077f6557576d323c0a36515a/analysis/; classtype:trojan-activity; sid:18982; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WinSpywareProtect variant outbound connection"; flow:to_server,established; content:"/?domain=refererdetect"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/eb5a561fbd2842fb9efd011a51edce3378767631077f6557576d323c0a36515a/analysis/; classtype:trojan-activity; sid:18981; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WinSpywareProtect variant outbound connection"; flow:to_server,established; content:"/pay/-1/1/"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/eb5a561fbd2842fb9efd011a51edce3378767631077f6557576d323c0a36515a/analysis/; classtype:trojan-activity; sid:18980; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5900 (msg:"MALWARE-CNC Worm.Win32.AutoRun.fmo variant outbound connection"; flow:to_server,established; content:"USER|20|VirUs"; content:"|20 03 38 2C 31 02 03|8Coded|20 03|4by|20 03|8virus"; within:200; nocase; reference:url,www.threatexpert.com/report.aspx?md5=86af282483aed013b7e06c4a641cfe0f; classtype:trojan-activity; sid:18979; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pasta.aoq variant outbound connection"; flow:to_server,established; content:"/count/count.asp"; http_uri; content:"szclientid="; distance:0; http_uri; content:"szusername="; distance:0; http_uri; content:"szpapapaname="; distance:0; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/e488e5aad5c3f10bc689038124ba529fd13aaae04a95d4e98ff96cf3fdcfb89a/analysis/; classtype:trojan-activity; sid:18978; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 18386 (msg:"MALWARE-CNC Win.Trojan.Proxy variant outbound connection"; flow:to_server; pcre:"/^[\x60\x62\x64\x66\x68\x6a\x6c\x6e\x70\x72]{4,5}/"; reference:url,www.virustotal.com/en/file/8a37f119ec87a00719c8a87bc323225f31ac169c06fb5434f77f06f5876b5017/analysis/; classtype:trojan-activity; sid:18977; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rogue-Software.AVCare variant outbound connection"; flow:to_server,established; content:"/adv/order/"; http_uri; content:"systemsecuritycenter|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/file/f9e5a8936aab4ee297aade2f54749f88b939732f608435ecd172db0ada23982b/analysis/; classtype:trojan-activity; sid:18976; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.IRCBot.FC variant outbound connection"; flow:to_server,established; flowbits:isset,trojan.ircbot_fc; content:"|23|update1|23|"; depth:64; nocase; pcre:"/^JOIN[ \t]+\x23update1\x23/i"; reference:url,www.virustotal.com/en/file/da5bfdf3bcdf805aeec1c292459dae4e27e3f2bbb27e6d59a23566586255d2fb/analysis/; classtype:trojan-activity; sid:18947; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.IRCBot.FC variant outbound connection"; flow:to_server,established; content:"NICK|20 5B|"; depth:6; nocase; content:"|5D 0D 0A|"; within:32; pcre:"/^NICK[ \t]+\x5BSI\x7C\S+\x7C[0-9]{2}\x7C\S+\x7C[0-9]{5}\x5D/i"; flowbits:set,trojan.ircbot_fc; flowbits:noalert; reference:url,www.virustotal.com/en/file/da5bfdf3bcdf805aeec1c292459dae4e27e3f2bbb27e6d59a23566586255d2fb/analysis/; classtype:trojan-activity; sid:18946; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Virus.Win32.Feberr variant outbound connection"; flow:to_server,established; content:"|2F|uploads|2F|"; nocase; http_uri; content:!"|0A|Accept"; nocase; http_header; content:!"User|2D|Agent"; nocase; http_header; pcre:"/^\x2Fuploads\x2F\d+\x2Egif/Ui"; metadata:service http; reference:url,www.virustotal.com/#/file/ca33558a744e9448e3501fd1f4fb6588/detection; classtype:trojan-activity; sid:18945; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - MacDefender"; flow:to_server,established; content:"php?affid="; nocase; http_uri; content:"User-Agent|3A 20|MacDefender|2F 31|"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466/analysis/; classtype:trojan-activity; sid:18943; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - MacProtector"; flow:to_server,established; content:"php?v="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"User-Agent|3A 20|MacProtector|2F 31|"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/file/eae02fafe9ce6fc34b0cd4365b6509ed04725857117d2b0bd601961878804e8c/analysis/; classtype:trojan-activity; sid:18942; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - FakeAV"; flow:to_server,established; content:"/httpss/v="; http_uri; content:"&step="; distance:0; http_uri; content:"&hostid="; distance:0; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/54b4cb6b40f258a7cd409478b30782ec395fed5a7b9c4870d29e452da236d9e3/analysis/; classtype:trojan-activity; sid:18941; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Sality"; flow:to_server,established; content:"/sm.php?pizda"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.virustotal.com/en/file/54591391429967064308d1f6e7d8bd099e4d3e6ef7bdb47a6671b0dd609903db/analysis/; classtype:trojan-activity; sid:18940; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/getcfg.php"; fast_pattern:only; http_uri; content:"POST"; http_method; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cc2f69011f7d5b0e1cf578c76a24ab7ced949cebc9960f1374ad275cb18ca092/analysis/; reference:url,www.virustotal.com/en/file/f0317f48f1dfd0a9a9008985493f3bf310871dc6e2767b18aef8310328e007c2/analysis/; reference:url,www.virustotal.com/file/ad007bcb943baf5365f9c4bb3ef378e5ec83847aabed33544dd013fabc535482/analysis/; classtype:trojan-activity; sid:18939; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Win.Trojan.Krap"; flow:to_server,established; content:"/task.php?id="; fast_pattern; nocase; http_uri; content:"&task="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.virustotal.com/#/file/1d0d38dd63551a30eda664611ed4958b/detection; reference:url,www.virustotal.com/en/file/b5d592ea665573c8564faf443f60fa39c63c77a5a10d640270d2cc41a4430323/analysis/; classtype:trojan-activity; sid:18937; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Win.Trojan.FakeAV"; flow:to_server,established; content:"/cycle_report.cgi?type="; fast_pattern; nocase; http_uri; content:"&system="; distance:0; nocase; http_uri; content:"&id="; distance:0; nocase; http_uri; content:"&status="; distance:0; nocase; http_uri; content:"POST"; http_method; metadata:service http; reference:url,www.virustotal.com/en/file/c69d4504910f658432d96b6cbcbff057fa9ee1cb5dddb7c5800ac651dc9c7db6/analysis/; classtype:trojan-activity; sid:18936; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic -- Coreflood"; flow:to_server,established; content:"r="; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&panic="; distance:0; nocase; http_client_body; content:"&input="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/707505ccfd2c91901457c2ede96daa21/detection; classtype:trojan-activity; sid:18934; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI -- W32.Swizzor"; flow:to_server,established; content:"/get.cgi?"; nocase; http_uri; content:"|3D|"; within:1; distance:32; http_uri; pcre:"/get\x2Ecgi\x3F[A-Z\d]{32}\x3D/Ui"; metadata:service http; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-swizzor.html; classtype:trojan-activity; sid:18900; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI Request for known malicious URI - Chinese Rootkit.Win32.Fisp.a"; flow:to_server,established; content:"/tj.aspx?a="; nocase; http_uri; content:"&b="; distance:0; nocase; http_uri; content:"&c="; distance:0; nocase; http_uri; content:"&f="; distance:0; nocase; http_uri; content:"&g="; distance:0; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:18782; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC URI request for known malicious URI - /gpdcount"; flow:to_server,established; content:"/gpdcount"; nocase; http_uri; content:"?&vinfo="; distance:0; nocase; http_uri; content:"&curtime="; distance:0; nocase; http_uri; content:"&mac="; distance:0; nocase; http_uri; content:"&dbg="; distance:0; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:18775; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC URI request for known malicious URI"; flow:to_server,established; content:".php?op="; nocase; http_uri; content:"&macaddress="; distance:0; nocase; http_uri; content:"&pcname="; distance:0; nocase; http_uri; content:"&nomeusuario="; distance:0; nocase; http_uri; metadata:service http; classtype:trojan-activity; sid:18774; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW"; flow:to_server,established; content:"/blog.updata?v="; nocase; http_uri; content:"&r1="; within:4; distance:7; http_uri; content:"&tm="; within:4; distance:32; http_uri; content:"&os="; distance:0; http_uri; metadata:service http; classtype:trojan-activity; sid:18762; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Win32.Koobface.D variant outbound connection"; flow:to_server,established; content:"action|3D|fbgen"; nocase; http_uri; content:"mode|3D|s"; nocase; http_uri; content:"age|3D|"; nocase; http_uri; content:"fblogin|3D|"; nocase; http_uri; content:"defbrowser|3D|"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/b19d0cfb1434de2761d1b49853f0cc78/detection; classtype:trojan-activity; sid:18739; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.ZeroClean variant outbound connection"; flow:to_server,established; content:"|2F|active_count|2E|php|3F|"; nocase; http_uri; content:"pid|3D|zeroclean"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/f7b6ccba93a18b03090a05219f0f1423/detection; classtype:trojan-activity; sid:18724; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.CleanV variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A 20|CVAutoUpdate"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/6dff6ed464505bbd40aa9795ad876cbb/detection; classtype:trojan-activity; sid:18723; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Terzib.A variant outbound connection"; flow:to_server,established; content:"|2F|search|2E|asp|3F|uid|3D|"; nocase; http_uri; content:"www|2E|microsoft|2E|com"; nocase; http_client_body; content:"Accept|3A 20 2A 2F 2A|"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/414a5326b81e8361e600885d94c8af0c/detection; classtype:trojan-activity; sid:18720; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.IRCBot.CBY variant outbound connection"; flow:to_server,established; content:"USER|20|"; depth:5; content:"VirUs|20 22 22 20 22|lol|22 20 3A|"; within:64; reference:url,www.virustotal.com/#/file/3afdc2fa17897c6dc460f1713b787006/detection; classtype:trojan-activity; sid:18719; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.AdvancedDefender variant outbound connection"; flow:to_server,established; content:"|2F|install"; nocase; http_uri; content:"track_id|3D|"; nocase; http_uri; content:"User-Agent|3A 20|advanceddefender|2E|exe"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/6f55656d7efaf44df6219b0db2030a63/detection; classtype:trojan-activity; sid:18718; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.QO variant outbound connection"; flow:to_server,established; content:"RooTKit+By+Iron+Mask+%2D+Espanha"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/#/file/b4d9c824423040e936afb0ca5358935c/detection; classtype:trojan-activity; sid:18717; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.H variant outbound connection"; flow:to_server,established; content:"|2F|boom|2F|n|2E|jpg"; nocase; http_uri; content:"ln|3D|"; nocase; http_uri; content:"cn|3D|"; nocase; http_uri; content:"un|3D|"; http_uri; content:"os|3D|"; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/314ef82eeec3f0c2fd58918b727d4bd4/detection; classtype:trojan-activity; sid:18716; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Ozdok botnet communication with C&C server"; flow:to_server,established; content:"|DB FD 37 7F 11 01 B9 E5|"; depth:8; offset:2; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/c523ea7ca25a68513a35e292e64d76e0126b1f6b6805e0b08ca35efbd3c5c383/analysis/; classtype:trojan-activity; sid:18715; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.XJRAntivirus variant outbound connection"; flow:to_server,established; content:"|2F|stat|2F|action3|2E|cgi"; nocase; http_uri; content:"p|3D|"; nocase; http_uri; content:"a|3D|"; nocase; http_uri; content:"system|3D|"; nocase; http_uri; content:"id|3D|"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/0fd17ef3b0e06bc596d738959e0a201c/detection; classtype:trojan-activity; sid:18712; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.SecurityCentral variant outbound connection"; flow:to_server,established; content:"|2E|php|3F|id|3D|"; nocase; http_uri; content:"vipsecuritycentral|2E|com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/004fe98c373ac03bd457c1b283d5dab8/detection; classtype:trojan-activity; sid:18711; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.aufm variant outbound connection"; flow:to_server,established; content:"|2F|cfg-ff|2E|txt"; nocase; http_uri; content:"User-Agent|3A 20|HTTP|20|Client"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/827de4cd12e91a5b20b95ed086fd9056/detection; classtype:trojan-activity; sid:18709; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.AntivirusSoft variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Microsoft|20|Internet|20|Explorer|0D 0A|"; nocase; http_header; content:"loads2|2E|php|3F|r|3D|"; fast_pattern; nocase; http_uri; pcre:"/loads2\x2Ephp\x3Fr\x3D[0-9]{2}\x2E[0-9]/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/8717c9857b84d634a1c76562da5bb267/detection; classtype:trojan-activity; sid:18708; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.ControlCenter variant outbound connection"; flow:to_server,established; content:"|2F|r2newinstall"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/8eeb4451ab114587003b4d31e50e834b/detection; classtype:trojan-activity; sid:18707; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BHO.argt checkin"; flow:to_server,established; content:"/count/insert.php?pid="; nocase; http_uri; content:"&kind="; nocase; http_uri; metadata:service http; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1021383aeb7c06ed081a4d7a3e9e86d5; reference:url,threatexpert.com/report.aspx?md5=7895dd4c80bc92b98b1f0245efdd3937; classtype:trojan-activity; sid:18700; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar.dpvy/Parkchicers.A/Delf checkin"; flow:to_server,established; content:"execute.php?m_origin="; http_uri; content:"&usr_id="; http_uri; content:"&usr_gubun="; http_uri; content:"&serialno="; http_uri; content:"&Pid="; http_uri; metadata:service http; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=ddc314b952c4971acde4a978a54c7b3c&id=765683; reference:url,www.threatexpert.com/report.aspx?md5=ddc314b952c4971acde4a978a54c7b3c; reference:url,www.virustotal.com/#/file/ddc314b952c4971acde4a978a54c7b3c/detection; classtype:trojan-activity; sid:18618; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.agum variant outbound connection"; flow:to_server,established; content:"|2F|klnormal|2E|php"; nocase; http_uri; content:"tipo|3D|cli|26|cli|3D|"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/e780676f9ff455e35dca65aed9d8060b/detection; classtype:trojan-activity; sid:18577; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RussKill botnet variant outbound connection"; flow:to_server,established; content:"/779/"; http_uri; content:"akakalat|2E|com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=48bb89358e8e43e81d5e287038252958; classtype:trojan-activity; sid:18564; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gaboc variant outbound connection"; flow:to_server,established; content:"/web/get_core_infov3|2E|asp"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=0022070ff8663a5cbb169065f884c08f; classtype:trojan-activity; sid:18563; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RogueSoftware.Win32.LivePcCare variant outbound connection"; flow:to_server,established; content:"newsystem|2D|guard|2E|in"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/#/file/4845c6698bb0216b362c2174852da19d/detection; classtype:trojan-activity; sid:18562; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Night Dragon keepalive message"; flow:to_server,established; content:"|68 57 24 13|"; depth:4; offset:12; content:"|03 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:18459; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Night Dragon initial beacon"; flow:to_server,established; content:"|68 57 24 13|"; depth:4; offset:12; content:"|01 50|"; depth:2; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:18458; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VB.njz variant outbound connection"; flow:to_server,established; content:"|2F|svr|2E|php|3F|email|3D|"; nocase; http_uri; content:"User-Agent|3A 20|vb|20|wininet"; fast_pattern:only; http_header; content:!"Accept"; nocase; http_header; metadata:service http; reference:url,www.virustotal.com/#/file/8044c2cf3307598e20673193e11b5916/detection; classtype:trojan-activity; sid:18281; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Karagany.A variant outbound connection"; flow:to_server,established; content:"|2F|xgate|2E|php"; nocase; http_uri; content:"User-Agent|3A 20|Opera|2F|10|2E|60|20|Presto|2F|2|2E|2|2E|30"; fast_pattern:only; http_header; content:"id|3D 5F|"; http_client_body; pcre:"/^\d?\x5f\d+\x5f/R"; metadata:service http; reference:url,www.virustotal.com/#/file/b01a66b05b4cf27f063b33772eb6b30b/detection; classtype:trojan-activity; sid:18279; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Tidserv malware command and control channel traffic"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/nfoc.php"; fast_pattern; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:18100; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Carberp"; flow:to_server,established; content:"/cfg/"; nocase; http_uri; content:".plug"; fast_pattern; nocase; http_uri; pcre:"/\/cfg\/[A-Z]+\.plug/Ui"; metadata:service http; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; classtype:trojan-activity; sid:18099; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - Carberp"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/set/first.html"; nocase; http_uri; content:"os=Windows"; fast_pattern:only; metadata:service http; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; classtype:trojan-activity; sid:18098; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Thinkpoint fake antivirus - credit card submission"; flow:to_server,established; content:"bill.php"; nocase; http_uri; content:"cs1=roger"; nocase; http_client_body; content:"product_id="; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17816; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Thinkpoint fake antivirus - user display"; flow:to_server,established; content:"index_new.php"; nocase; http_uri; content:"id=roger"; fast_pattern; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-090610-2408-99; classtype:trojan-activity; sid:17815; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Worm.Win32.Neeris.BF variant outbound connection"; flow:to_server,established; content:"|0A|USER VirUs|20 22 22 20 22|lol|22 20 3A|"; fast_pattern:only; reference:url,www.virustotal.com/#/file/968470dd871f3047cf48b23f0c83985f/detection; classtype:trojan-activity; sid:17805; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC VBMania mass mailing worm download"; flow:to_client,established; file_data; content:"|53 00 65 00 6E 00 64 00 45 00 6D 00 61 00 69 00 6C 00 2E 00 64 00 6C 00 6C 00 00 00|"; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; content:"|2E 00 69 00 71 00 00 00|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7/analysis/; classtype:trojan-activity; sid:17235; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC VBMania mass mailing worm activity"; flow:to_server,established; content:"SendEmail|2E|iq"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fedb7b404754cf85737fb7e50f33324b84eb4c0b98024c7d3302039a901b04b7/analysis/; classtype:trojan-activity; sid:17234; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Trojan-Downloader.JS.Agent.ewh Javascript download"; flow:to_client, established; file_data; content:"document|2E|createElement"; fast_pattern:only; content:".replace("; pcre:"/\.replace\(\x2F(?:\x5C[\x21\x24\x28\x29\x5E]|[\x23\x26\x40])(?:\x7C(?:\x5C[\x21\x24\x28\x29\x5E]|[\x23\x26\x40])){7}\x2F\x69\x67\x2C\x20\x27\x27\x29/"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/68b650e4f6c6e13c335a270ba5c3db3dc84012ec18c71841fcbbcb421000dec5/analysis/; classtype:trojan-activity; sid:17058; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/ping.txt?u="; nocase; http_uri; content:"pg="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16833; classtype:trojan-activity; sid:16833; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/LockIeHome/?mac="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16832; classtype:trojan-activity; sid:16832; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/count/inst.php?ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16831; classtype:trojan-activity; sid:16831; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/socks.php?name="; nocase; http_uri; content:"port="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16830; classtype:trojan-activity; sid:16830; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/web/counter/install.check.php"; nocase; http_uri; content:"in_mac="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16829; classtype:trojan-activity; sid:16829; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/indeh.php"; nocase; http_uri; content:"&v=5&z=com&s=f01"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16828; classtype:trojan-activity; sid:16828; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/code/pop_data3.asp?f=48843&t=a"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16827; classtype:trojan-activity; sid:16827; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/p6.asp?MAC="; nocase; http_uri; content:"Publicer="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16826; classtype:trojan-activity; sid:16826; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"adv=adv"; nocase; http_uri; content:"code1="; nocase; http_uri; content:"code2=uri:id="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16825; classtype:trojan-activity; sid:16825; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/bar/v16-106/c1/jsc/fmr.js?c="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16824; classtype:trojan-activity; sid:16824; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlyStudio known command and control channel traffic"; flow:to_server,established; content:"/piao1.asp?AC="; nocase; http_uri; content:"Content-Length|3A 20|0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16823; classtype:trojan-activity; sid:16823; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/clcount/ip.asp?action=install&mac="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16822; classtype:trojan-activity; sid:16822; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"kx.php"; nocase; http_uri; content:"SIY1|5C|Y)_XYEFDK7M76MKIIL<OH"; nocase; http_client_body; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16821; classtype:trojan-activity; sid:16821; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik variant outbound connection"; flow:to_server,established; content:".php?ini=v22M"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16820; classtype:trojan-activity; sid:16820; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"ad_type.php?a="; nocase; http_uri; pcre:"/ad_type\.php\?a=[A-Z\d]{13}/Ui"; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16819; classtype:trojan-activity; sid:16819; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/css/pragma/knock.php"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16818; classtype:trojan-activity; sid:16818; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/ll.php?v=3"; nocase; http_uri; content:"wm_id=acc00"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16817; classtype:trojan-activity; sid:16817; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/ue000/38sw.e?uid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16816; classtype:trojan-activity; sid:16816; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/player/blog.updata"; nocase; http_uri; content:"os=Windows"; distance:0; nocase; http_uri; content:"&mid="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16815; classtype:trojan-activity; sid:16815; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/cursors/"; nocase; http_uri; content:"cursor_upp.gif"; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16814; classtype:trojan-activity; sid:16814; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:".aspx?ver=2.0."; nocase; http_uri; content:"rnd="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-16813; classtype:trojan-activity; sid:16813; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/vscript/vercheck.psc?pcrc="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16812; classtype:trojan-activity; sid:16812; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/perce/"; nocase; http_uri; content:"qwerce.gif"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16811; classtype:trojan-activity; sid:16811; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known command and control channel traffic"; flow:to_server,established; content:"/werber/"; nocase; http_uri; content:"217.gif"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16810; classtype:trojan-activity; sid:16810; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FraudPack variant outbound connection"; flow:to_server,established; content:"borders.php"; nocase; http_uri; content:"data="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,snort.org/rule_docs/1-16809; classtype:trojan-activity; sid:16809; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot.E - register client"; flow:to_server,established; content:"/cgi-bin/clientinfo3.pl"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; classtype:trojan-activity; sid:16808; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Qakbot.E - FTP Upload ps_dump"; flow:to_server,established; content:"ps_dump"; fast_pattern:only; pcre:"/ps_dump_[^_]+_[a-z]{5}\d{4}\x2Ekcb/smi"; metadata:service ftp; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; classtype:trojan-activity; sid:16807; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Qakbot.E - FTP upload seclog"; flow:to_server,established; content:"seclog"; fast_pattern:only; pcre:"/seclog_[a-z]{5}\d{4}_\d{10}\x2Ekcb/smi"; metadata:service ftp; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; classtype:trojan-activity; sid:16806; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot.E config check"; flow:to_server,established; content:"/u/updates.cb"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\r\n]+((up\d+)|(adserv))/Hmi"; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; classtype:trojan-activity; sid:16805; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot.E - initial load"; flow:to_server,established; content:"/cgi-bin/jl/jloader.pl"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?md5=8171d3223f89a495f98c4e3a65537b8f; classtype:trojan-activity; sid:16804; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rogue AV download/update"; flow:to_server,established; content:"|2F 3F|b|3D|1s1"; fast_pattern; nocase; http_uri; content:"Mozilla"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s*Mozilla\x0d?$/smiH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2063df10f553afa6b1257e576fbf88cf98093ec1ae15c079e947994a96fbfadd/detection; classtype:trojan-activity; sid:16695; rev:7;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Torpig bot sinkhole server DNS lookup"; flow:to_server; byte_test:1,!&,0xF8,2; content:"torpig-sinkhole|03|org"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/#/file/598c0628fb40a17405ee0a3146621460daeee46ac863810af822695153416a3f/detection; classtype:trojan-activity; sid:16693; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface worm executable download"; flow:to_server,established; content:"|2E|sys|2F 3F|getexe|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/c55e2acfed1996ddbd17ddd4cba57530dd34c207be9f9b327fa3fdbb10cdaa7c/detection; classtype:trojan-activity; sid:16670; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Spyeye bot variant outbound connection"; flow:to_server,established; content:"|2E|php|3F|guid|3D|"; nocase; http_uri; content:"ccrc|3D|"; fast_pattern; nocase; http_uri; content:"ver|3D|"; nocase; http_uri; content:"stat|3D|"; nocase; http_uri; content:"cpu|3D|"; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=84714c100d2dfc88629531f6456b8276; classtype:trojan-activity; sid:16669; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Otlard Win.Trojan.activity"; flow:to_server, established; content:"Google Bot"; fast_pattern:only; http_header; pcre:"/^User\x2DAgent\x3A\s*Google\sBot/smiH"; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/report.aspx?md5=19354eda9db43a501b7172489d67d454; classtype:trojan-activity; sid:16600; rev:7;)
# alert tcp $EXTERNAL_NET [4244,10369] -> $HOME_NET any (msg:"MALWARE-CNC SdBot IRC Win.Trojan.server to client communication"; flow:to_client,established; content:"get5.lost|0D 0A|"; reference:url,anubis.iseclab.org/?action=result&task_id=1418ebbc56c0b5a34c11afd1af2ba9881&format=html; classtype:trojan-activity; sid:16558; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; content:"/reklam/config"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=2a2419d34c7990297d9a2f7413a9af2a; classtype:trojan-activity; sid:16528; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Zbot malware config file download request"; flow:to_server,established; content:"/dofyru.bmp"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=4cc069b84270be48bd84b7068dc3bf1a; classtype:trojan-activity; sid:16527; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7382 (msg:"MALWARE-CNC VanBot IRC communication"; flow:to_server,established; content:"JOIN |23|siwa"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,owned-nets.blogspot.com/2009/05/italianswiifatecihnocombaadshah-from.html; classtype:trojan-activity; sid:16526; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.hacktool variant outbound connection"; flow:to_server,established; content:"/update"; nocase; http_uri; content:"Mozilla/4.75"; fast_pattern; nocase; http_header; pcre:"/\x2Fupdate\w\x2Ephp\x3Fp\x3D\d+.*User\x2DAgent\x3A\s+Mozilla\x2F4\x2E75\s\x5Ben\x5D\s\x28X11\x3B\sU\x3B\sLinux\s2\x2E2\x2E16\x2D3\si686\x29/smiH"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=f602982724b3562b80f435f0d87c6a5f; classtype:trojan-activity; sid:16496; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rustock botnet variant outbound connection"; flow:to_server,established; content:"spm/s_alive.php?"; http_uri; content:"id="; distance:0; nocase; http_uri; content:"tick"; distance:0; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; content:"smtp="; distance:0; nocase; http_uri; metadata:service http; reference:url,threatexpert.com/report.aspx?md5=2a375d5f8ee2fe851f9b6407ae0d00e0; classtype:trojan-activity; sid:16495; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TT-bot botnet variant outbound connection"; flow:to_server,established; content:"TT-Bot"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*TT-Bot/mi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,anubis.iseclab.org/index.php?action=result&format=html&task_id=1494581651ca480640538ead93feabed2; classtype:trojan-activity; sid:16493; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bobax botnet variant outbound connection"; flow:to_server,established; content:"&wr="; http_uri; content:"/reg?"; http_uri; pcre:"/\x26tv\x3d\d\.\d\.\d{4}\.\d{4}/smiU"; pcre:"/u=[\dA-Fa-f]{8}/smiU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=89f6a4c3973f54c2bee9f50f62428278; classtype:trojan-activity; sid:16489; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface request for captcha"; flow:to_server,established; content:"GET"; http_method; content:"/cap/temp/"; nocase; http_uri; pcre:"/^\x2Fcap\x2Ftemp\x2F[A-Za-z0-9]+\x2Ejpg/miU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16485; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/cap/?a=get&i="; nocase; http_uri; pcre:"/\d+&/miR"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=efbc47d5e8f3ed68a13968cda586d68d; classtype:trojan-activity; sid:16484; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Koobface worm submission of collected data to C&C server"; flow:to_server,established; content:"&c_ms="; nocase; http_uri; content:"&c_hi="; http_uri; content:"&c_fb="; http_uri; content:"&c_tg="; http_uri; metadata:impact_flag red, service http; reference:url,threatexpert.com/report.aspx?md5=18395e9476bde417692f3a7ab807ac44; classtype:trojan-activity; sid:16483; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.command and control communication"; flow:to_server,established; content:"Ryeol HTTP Client Class"; nocase; http_header; content:"jaiku.com"; nocase; http_header; pcre:"/^User\x2DAgent\x3A\s+Ryeol\s+HTTP\s+Client\s+Class/smiH"; pcre:"/^Host\x3A\s+.*jaiku\x2Ecom/smiH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=9a546564bf213ff866f48848f0f14027; classtype:trojan-activity; sid:16459; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cutwail.AI variant outbound connection"; flow:to_server,established; content:"/40E800143030303030303030303030"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader:Win32/Cutwail.AI; classtype:trojan-activity; sid:16457; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Possible Zeus User-Agent - Mozilla"; flow:to_server,established; content:"User-Agent|3A| Mozilla|0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A| "; http_header; pcre:"/\x2E(bin|exe|php)([\?\x5c\x2f]|$)/smiU"; metadata:impact_flag red, service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:trojan-activity; sid:16442; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Possible Zeus User-Agent - Download"; flow:to_server,established; content:"User-Agent|3A| Download|0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2E(bin|exe|php)([\?\x5c\x2f]|$)/smiU"; metadata:impact_flag red, service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:trojan-activity; sid:16441; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Possible Zeus User-Agent - ie"; flow:to_server,established; content:"User-Agent|3A| ie|0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2E(bin|exe|php)([\?\x5c\x2f]|$)/smiU"; metadata:impact_flag red, service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:trojan-activity; sid:16440; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Possible Zeus User-Agent - _TEST_"; flow:to_server,established; content:"User-Agent|3A| _TEST_"; fast_pattern:only; http_header; pcre:"/\x2E(bin|exe|php)([\?\x5c\x2f]|$)/smiU"; metadata:impact_flag red, service http; reference:url,en.wikipedia.org/wiki/Zeus_(trojan_horse); classtype:trojan-activity; sid:16439; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Gozi Win.Trojan.connection to C&C"; flow:to_server,established; content:"user_id="; nocase; http_uri; content:"version_id="; nocase; http_uri; content:"passphrase="; fast_pattern:only; http_uri; content:"socks="; nocase; http_uri; content:"version="; nocase; http_uri; content:"crc="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/02e2428657cc20c9206b92474157e59e64d348b47d69dd320cb5e909e9150b99/detection; classtype:trojan-activity; sid:16391; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hydraq variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/#/file/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c/detection; classtype:trojan-activity; sid:16368; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SpyForms malware call home"; flow:to_server,established; content:"/evil/services/bid_register.php?BID="; fast_pattern:only; http_uri; pcre:"/\x2Fevil\x2Fservices\x2Fbid_register\x2Ephp\x3FBID\x3D[A-Za-z]{6}\x26IP\x3D\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x26cipher\x3D[A-Za-z]{9}/smiU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatexpert.com/report.aspx?md5=acf30e13cbcf7eafc8475e976f7af3ec; classtype:trojan-activity; sid:16362; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC bugsprey variant outbound connection"; flow:to_server,established; flowbits:isset,BugsPrey_detection; dsize:>6; content:"GHOST,"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BugsPrey&threatid=42567; reference:url,www.econsultant.com/spyware-database/b/bugsprey-a.html; classtype:trojan-activity; sid:16358; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Clob bot traffic"; flow:to_server,established; content:"/l1/ms32clod.dll"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=1474e6d74aa29127c5d6df716650d724; classtype:trojan-activity; sid:16289; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trickler trojan-spy.win32.pophot variant outbound connection download files"; flow:to_server,established; content:"/bawang/"; http_uri; content:".exe?"; http_uri; content:"frandom="; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Pophot.gen&threatid=416939; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453142055; classtype:misc-activity; sid:16275; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trickler trojan-spy.win32.pophot variant outbound connection connect to server"; flow:to_server,established; content:"/list.htm?"; http_uri; content:"frandom="; http_uri; content:"Host|3A| vip.47tu.com"; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Pophot.gen&threatid=416939; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453142055; classtype:misc-activity; sid:16274; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-dropper.irc.tkb variant outbound connection dxcpm"; flow:to_server,established; content:"/images/dxcpm"; http_uri; content:"www.dxcpm.com"; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.IRC.TKB&threatid=174269; reference:url,www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f; classtype:trojan-activity; sid:16273; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan-dropper.irc.tkb variant outbound connection lordhack"; flow:to_server,established; content:"/includes/editor/"; http_uri; content:"www.lordhack.com"; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.IRC.TKB&threatid=174269; reference:url,www.threatexpert.com/report.aspx?md5=e77f4df496a182bf5d16172cda47b91f; classtype:trojan-activity; sid:16272; rev:7;)
# alert tcp $EXTERNAL_NET [1024:] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TDSS.1.Gen keepalive detection"; flow:to_server,established,no_stream; dsize:<200; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; detection_filter:track by_src, count 4, seconds 15; reference:url,www.virustotal.com/en/file/aab0dc79e71ede6443503038c08c539843d37cdb37c0a0f624658860f4432fae/analysis/; classtype:trojan-activity; sid:16271; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - findzproportal1.com"; flow:to_server,established; content:"/botmon/readdata/"; http_uri; content:"Host|3A| findzproportal1.com"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16269; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.tdss.1.gen install-time detection - yournewsblog.net"; flow:to_server,established; content:"/tdss/"; http_uri; content:"Host|3A| yournewsblog.net"; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.TDss.Gen&threatid=414535; reference:url,www.threatexpert.com/files/TDSSserv.sys.html; reference:url,www.threatexpert.com/report.aspx?uid=cffa846b-93ba-438d-8715-0665b6cd9627; classtype:trojan-activity; sid:16268; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC downloader-ash.gen.b variant outbound connection 3264.php"; flow:to_server,established; content:"/32647543ygwvrhbjt3h4evjrbgnrt.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.ca.com/hk/securityadvisor/pest/pest.aspx?id=453143372; reference:url,www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4; classtype:trojan-activity; sid:16243; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC downloader-ash.gen.b variant outbound connection adload"; flow:to_server,established; content:"/adv/058/adload.php"; http_uri; content:"all1count.net"; fast_pattern:only; http_header; metadata:service http; reference:url,www.ca.com/hk/securityadvisor/pest/pest.aspx?id=453143372; reference:url,www.threatexpert.com/report.aspx?md5=bffe465b5949e78821ffb76b0ed25bb4; classtype:trojan-activity; sid:16242; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bredolab bot variant outbound connection"; flow:to_server,established; content:"controller|2E|php|3F|action|3D|"; nocase; http_uri; content:"entity_list|3D|"; distance:0; nocase; http_uri; content:"rnd|3D|"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=b5a530185d35ea8305d3742e2ee5669f; classtype:trojan-activity; sid:16144; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"MALWARE-CNC torpig-mebroot command and control checkin"; flow:to_server,established; content:"|00 00|O|95 00 00 00 04|echo"; depth:12; reference:url,www.virustotal.com/en/file/3dea2a5b5178bf7c45565960643bc5deee710282348b3fd64ca639791ebafb89/analysis/; reference:url,www.virustotal.com/en/file/f6a109e6e6309f830ae790a43c6950c6e05568c67cfd0ba91f1a877c9acc179a/analysis/; classtype:trojan-activity; sid:16140; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.gen2 variant outbound connection scanner page"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"advid="; nocase; http_uri; pcre:"/\x2F\d+\x2F\x3Fadvid\x3D/Usmi"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Gen&threatid=43099; reference:url,www.threatexpert.com/report.aspx?uid=6a5f4829-667f-4f53-876d-ca74fe4cfcf0; classtype:misc-activity; sid:16139; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.nsis.agent.s variant outbound connection"; flow:to_server,established; content:"/keyword/urlRedirect.cfm?"; fast_pattern; nocase; http_uri; content:"v="; nocase; http_uri; content:"a=SEARCHFST"; nocase; http_uri; content:"k="; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.NSIS.Agent.s&threatid=51530; reference:url,www.pctools.com/mrc/infections/id/Adware.Metadirect_hijacker/; classtype:misc-activity; sid:16124; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection request login page"; flow:to_server,established; content:"/login.htm"; nocase; http_uri; content:"www.sf123.com"; fast_pattern:only; http_header; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=c9798b3a-0b55-4bb6-82a7-c744ef3ba261; classtype:trojan-activity; sid:16113; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.vhb variant outbound connection contact remote server"; flow:to_server,established; content:"/post.asp?"; nocase; http_uri; content:"HD="; distance:0; nocase; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=c9798b3a-0b55-4bb6-82a7-c744ef3ba261; classtype:trojan-activity; sid:16112; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv installtime detection"; flow:to_server,established; content:"/Setup_ver1.1427.0.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16111; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv variant outbound connection childhe"; flow:to_server,established; content:"/pas/apstpldr.dll.html?affid=152174"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16110; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob.wwv variant outbound connection onestoponlineshop"; flow:to_server,established; content:"/templates/onestoponlineshop.net/images/css.css"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.threatexpert.com/report.aspx?uid=0f289bca-21bb-40ac-bec6-8eef22a6172a; classtype:trojan-activity; sid:16109; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.exchanger.gen2 variant outbound connection"; flow:to_server,established; content:"/ldr/client01/ldrctl.php"; fast_pattern:only; http_uri; content:"os="; nocase; http_client_body; content:"ver="; distance:0; nocase; http_client_body; content:"idx="; distance:0; nocase; http_client_body; content:"user="; distance:0; nocase; http_client_body; content:"ioctl="; distance:0; nocase; http_client_body; content:"data="; distance:0; nocase; http_client_body; metadata:service http; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/4275/tr_dldr.exchanger.dw.html; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453143306; classtype:trojan-activity; sid:16108; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC synrat 2.1 pro variant outbound connection"; flow:to_client,established; flowbits:isset,SynRat2.1_initconn; content:"CON"; depth:3; nocase; pcre:"/^CON\w+\d+\xAE/smi"; classtype:trojan-activity; sid:16107; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC synrat 2.1 pro variant outbound connection"; flow:to_server,established; content:"Sin"; depth:3; nocase; pcre:"/^Sin[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; flowbits:set,SynRat2.1_initconn; flowbits:noalert; classtype:trojan-activity; sid:16106; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.zlob variant outbound connection topqualityads"; flow:to_server,established; content:"/servlet/ajrotator/9105"; fast_pattern:only; http_uri; metadata:service http; reference:url,research.sunbeltsoftware.com/threatdisplay.aspx?name=Adware.Agent.gen&threatid=164680; reference:url,www.threatexpert.com/report.aspx?uid=8b81ce31-7f67-4880-8ec0-8359f96d6303; classtype:trojan-activity; sid:16105; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC lost door 3.0 variant outbound connection"; flow:to_server,established; flowbits:isset,LostDoor3_InitConn; content:"v1ct1m[|5C|AS/]"; depth:12; nocase; classtype:trojan-activity; sid:16104; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC lost door 3.0 variant outbound connection"; flow:to_client,established; content:"v1ct1m"; depth:6; nocase; flowbits:set,LostDoor3_InitConn; flowbits:noalert; classtype:trojan-activity; sid:16103; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.delf.phh variant outbound connection sft_ver1.1454.0.exe"; flow:to_server,established; content:"/sft/cvs/cache/sft_ver1.1454.0.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16102; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.delf.phh variant outbound connection 57329.exe"; flow:to_server,established; content:"/lm/57329.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16101; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.delf.phh variant outbound connection file.exe"; flow:to_server,established; content:"/files/56/v2test7/file.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Delf.phh&threatid=449585; reference:url,www.threatexpert.com/report.aspx?uid=37b59ba2-9a43-458f-8e8e-d150ab422b5c; classtype:trojan-activity; sid:16100; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.wdv variant outbound connection"; flow:to_server,established; content:"/new.rar"; nocase; http_uri; content:"htfc8.cn"; fast_pattern:only; http_header; metadata:service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malstartpa.html; reference:url,www.spywaredetector.net/spyware_encyclopedia/Clicker.Agent.htm; classtype:trojan-activity; sid:16099; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.cekar variant outbound connection"; flow:to_server,established; content:"/ljs.txt"; nocase; http_uri; content:"winssco.exe"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d1ef7e3d9a51eaca7d86b9e8f83730f5378aab25f6dccccb69c98254e9276899/analysis/; classtype:trojan-activity; sid:16098; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.vvm variant outbound connection"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"mode=gen"; distance:0; nocase; http_uri; content:"gd="; distance:0; nocase; http_uri; content:"affid="; distance:0; nocase; http_uri; content:"W10="; distance:0; nocase; http_uri; content:"subid="; distance:0; nocase; http_uri; content:"prov="; distance:0; nocase; http_uri; content:"ua="; distance:0; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"www.zabeedly.com/search.php?q="; fast_pattern:only; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win.Trojan.Agent.vvm&threatid=367475; reference:url,www.kaspersky.co.jp/viruswatchlite?hour_offset=-4&search_virus=dropper&page=1; classtype:trojan-activity; sid:16097; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC td.exe variant outbound connection download"; flow:to_server,established; content:"/download.php"; nocase; http_uri; content:"id="; distance:0; nocase; http_uri; content:"Submit=Download+Crack+and+Keygen"; distance:0; nocase; metadata:service http; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16096; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC td.exe variant outbound connection getfile"; flow:to_server,established; content:"/getfiles.php"; nocase; http_uri; content:"id="; distance:0; nocase; http_uri; content:"sid=anycrc"; distance:0; nocase; http_uri; metadata:service http; reference:url,www.siteadvisor.cn/sites/anycracks.com; reference:url,www.spywareremove.com/removetdexe.html; classtype:trojan-activity; sid:16095; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.exchan.gen variant outbound connection"; flow:to_server,established; content:"/ftpgd.exe"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojexchangen.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-041717-0829-99&tabid=2; classtype:trojan-activity; sid:16094; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC bugsprey variant inbound connection"; flow:to_client,established; dsize:7; content:"GHOST|0D 0A|"; depth:7; nocase; flowbits:set,BugsPrey_detection; flowbits:noalert; classtype:trojan-activity; sid:16093; rev:8;)
alert tcp $HOME_NET 27374 -> $EXTERNAL_NET any (msg:"MALWARE-CNC SubSeven client connection to server"; flow:to_client,established; content:"connected."; nocase; content:"Legends"; distance:0; fast_pattern; nocase; pcre:"/^connected\x2e[^\x0D\x0A]*20\d\d[^\x0D\x0A]*ver\x3A\s+Legends\s2\x2e1/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=da8d7529a8a37335064ade9d04df08ad; classtype:trojan-activity; sid:15938; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"tip="; nocase; http_client_body; content:"&cli="; distance:0; nocase; http_client_body; content:"&tipo="; distance:0; nocase; http_client_body; pcre:"/tip\x3D[a-zA-Z]+\x26cli\x3D[a-zA-Z]+\x26tipo\x3Dcli\x26inf\x3D/smiP"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=858295d163762748bf4821db5de041a1; classtype:trojan-activity; sid:15730; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh"; nocase; content:"<|22|!0<FEM87|29|Y4V5R=FEC92!|5C 28|'-E9|22|`"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15565; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC RSPlug Win.Trojan.file download"; flow:to_client,established; file_data; content:"|23|!/bin/sh"; nocase; content:"4A4*FD32[8|22|-|29|Y|22|4|28|EB|28 22|!&0H|28 22|8"; distance:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:misc-activity; sid:15564; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RSPlug Win.Trojan.server connection"; flow:to_server,established; content:"GET /cgi-bin/generator.pl HTTP/1.0|0D 0A|User-Agent|3A| "; http_header; content:"1|3B|7017|3B|"; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/osxrsplugf.html; classtype:trojan-activity; sid:15563; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Sality virus HTTP GET request"; flow:to_server,established; content:"/mrow_pin/?id"; nocase; http_uri; pcre:"/\x2Fmrow\x5Fpin\x2F\x3Fid\d+[a-z]{5,}\d{5}\x26rnd\x3D\d+/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.threatexpert.com/report.aspx?md5=b61aaef4d4dfbddbd8126c987fb77374; classtype:trojan-activity; sid:15553; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Zeus/Zbot malware config file download request"; flow:to_server,established; content:"/w/update.dat"; nocase; http_uri; content:"Host|3A| chartseye.cn"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=21782783; classtype:trojan-activity; sid:15481; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Clampi virus communication detected"; flow:to_server,established; content:"o=c&s=00000"; nocase; pcre:"/^POST \x2F[A-Z\d]{16} /smi"; metadata:impact_flag red, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-011616-5036-99; classtype:trojan-activity; sid:15423; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankpatch report home"; flow:to_server,established; content:"dlyainfy.php"; nocase; content:"Host|3A| www.crabindustry.ru"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; classtype:trojan-activity; sid:15297; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankpatch malicious file download"; flow:to_server,established; content:"newmain.exe"; nocase; http_uri; pcre:"/[A-Z]{7,12}\/newmain\.exe/Ui"; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; classtype:trojan-activity; sid:15296; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankpatch configuration download"; flow:to_server,established; content:"presentation.doc"; nocase; http_uri; pcre:"/\/[A-Z]{7,12}\/presentation\.doc$/Ui"; metadata:impact_flag red, service http; reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; classtype:trojan-activity; sid:15295; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo client communication"; flow:to_server,established; content:"/40e800"; depth:7; nocase; http_uri; pcre:"/^\x2F40e800[0-9A-F]{30,}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.eweek.com/c/a/Security/Inside-a-Modern-Malware-Distribution-System/; classtype:trojan-activity; sid:15165; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adware.Win32.Agent.BM variant outbound connection 2"; flow:to_server,established; content:"/template/top.html"; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"http|3A|//www.visit-tracker.biz/?VFJDSz0"; distance:0; nocase; http_header; metadata:service http; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Agent.bm; classtype:trojan-activity; sid:14087; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Adware.Win32.Agent.BM variant outbound connection 1"; flow:to_server,established; content:"/?VFJDSz0"; fast_pattern:only; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.visit-tracker.biz"; distance:0; nocase; http_header; metadata:service http; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Agent.bm; classtype:trojan-activity; sid:14086; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC infostealer.banker.c variant outbound connection collect user info"; flow:to_server,established; content:"/panel/s.php?"; nocase; content:"Host|3A|"; nocase; http_header; content:"leacherz.net"; distance:0; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Infostealer.Banker.C&threatid=134389; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99; classtype:trojan-activity; sid:14085; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC infostealer.banker.c variant outbound connection download cfg.bin"; flow:to_server,established; content:"/panel/cfg.bin"; fast_pattern:only; http_uri; content:"Host|3A|"; nocase; http_header; content:"leacherz.net"; distance:0; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Infostealer.Banker.C&threatid=134389; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2007-040208-5335-99; classtype:trojan-activity; sid:14084; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection download other malware"; flow:to_server,established; content:"/retadpu.php?"; nocase; http_uri; content:"version="; distance:0; nocase; http_uri; content:"configversion="; distance:0; nocase; http_uri; content:"GUID="; distance:0; nocase; http_uri; content:"cmd="; distance:0; nocase; http_uri; content:"p="; distance:0; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14083; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection spread via spam"; flow:to_server,established; content:"/spm/"; nocase; http_uri; content:"id="; distance:0; nocase; http_uri; content:"tick="; distance:0; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; content:"smtp="; distance:0; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14082; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.aarm variant outbound connection call home"; flow:to_server,established; content:"/scripts/worker.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"hujashka.com"; distance:0; nocase; http_header; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.bls&threatid=135991; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AARM&VSect=T; classtype:trojan-activity; sid:14081; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Asprox trojan initial query"; flow:to_server,established; content:"/dir1/archive.asp?id=z ANd"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514; classtype:trojan-activity; sid:13953; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.small.gy variant outbound connection update"; flow:to_server,established; content:"/grand/addme.php?"; nocase; http_uri; content:"botid="; distance:0; nocase; http_uri; content:"port="; distance:0; nocase; http_uri; content:"smtp="; distance:0; nocase; http_uri; content:"ipstring="; distance:0; nocase; http_uri; content:"connect,ok"; distance:0; nocase; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Small.gy&threatid=257144; classtype:trojan-activity; sid:13945; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.small.gy variant outbound connection get whitelist"; flow:to_server,established; content:"/grand/data/whitelist.txt"; fast_pattern:only; http_uri; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Proxy.Win32.Small.gy&threatid=257144; reference:url,www.iss.net/security_center/; classtype:trojan-activity; sid:13944; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.nac variant outbound connection call home"; flow:to_server,established; content:"/fd/sea.php?"; nocase; http_uri; content:"ver="; distance:0; nocase; http_uri; content:"User-Agent|3A| clk_jdfhid"; fast_pattern:only; http_header; metadata:service http; reference:url,cai.com/pe/securityadvisor/pest/pest.aspx?id=453132827; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.nac&threatid=234088; classtype:trojan-activity; sid:13942; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.agent.nac variant outbound connection click fraud"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"key="; distance:0; nocase; http_uri; content:"bfirst.info"; fast_pattern:only; http_header; metadata:service http; reference:url,cai.com/pe/securityadvisor/pest/pest.aspx?id=453132827; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.Agent.nac&threatid=234088; classtype:trojan-activity; sid:13941; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Trickler dropper agent.rqg variant outbound connection call home"; flow:to_client,established; flowbits:isset,Dropper_Agent.rqg_Detection; file_data; content:"|7C|http|3A|//xxx.ads555.com/rj/cc1.exe|7C|"; fast_pattern:only; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Dropper.Win32.Agent.rqg&threatid=289587; reference:url,virscan.org/report/2b00cbb9a861bd3dd79ef19a75de92f8.html; classtype:misc-activity; sid:13936; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hijacker mediatubecodec 1.470.0 variant outbound connection download other malware"; flow:to_server,established; content:"/thandler.php?"; nocase; http_uri; content:"p="; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453134350; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.NewMediaCodec&threatid=149335; classtype:misc-activity; sid:13935; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hijacker mediatubecodec 1.470.0 variant outbound connection hijack ie"; flow:to_server,established; content:"/jump.php?"; nocase; http_uri; content:"wmid="; distance:0; nocase; http_uri; content:"mid="; distance:0; nocase; http_uri; content:"lid="; distance:0; nocase; http_uri; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453134350; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.NewMediaCodec&threatid=149335; classtype:misc-activity; sid:13934; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.delf.uv inbound connection"; flow:to_client,established; flowbits:isset,Trojan-Spy.Win32.Delf.uv_Detection; file_data; content:"[update]"; content:"[popwin]"; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Spy.Win32.Delf.uv&threatid=134949; classtype:trojan-activity; sid:13878; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.delf.uv variant outbound connection"; flow:to_server,established; content:"/popwin/"; nocase; http_uri; content:"/update.txt"; distance:0; nocase; http_uri; flowbits:set,Trojan-Spy.Win32.Delf.uv_Detection; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:13877; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC zlob.acc variant outbound connection"; flow:to_server,established; content:"/inst/setup_"; nocase; http_uri; content:".exe"; distance:0; nocase; http_uri; pcre:"/\x2finst\x2fsetup\x5f\d+\x5f\d+\x5f\x2eexe/Ui"; metadata:service http; reference:url,spyware.processlibrary.com/details/SpyName/Zlob.acc/; reference:url,www.spywarelib.com/removal-info/Zlob.acc/; classtype:trojan-activity; sid:13876; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.wintrim.z variant outbound connection"; flow:to_server,established; content:"/binaries/2/2_mslagent.dll"; fast_pattern:only; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"HTTPRequest"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*HTTPRequest/smiH"; metadata:service http; reference:url,www.spywaredb.com/remove-trojandownloader-win32-wintrim-z/; reference:url,www.spywareguide.com/product_show.php?id=2225; classtype:trojan-activity; sid:13856; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC zombget.03 variant outbound connection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"ZOMBIES_HTTP_GET"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*ZOMBIES\x5fHTTP\x5fGET/smiH"; metadata:service http; reference:url,ca.com/ca/fr/securityadvisor/pest/pest.aspx?id=453072485; reference:url,www.pctools.com/mrc/infections/id/ZombGet/; classtype:trojan-activity; sid:13815; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC passhax variant outbound connection"; flow:to_server,established; content:"MAININFO|7C|password|7C|ENU|7C|My"; depth:24; nocase; content:"server"; distance:0; nocase; content:"|3A|D|7C|"; distance:0; nocase; pcre:"/^MAININFO\x7Cpassword\x7CENU\x7CMy\s+server\s+\x3AD\x7C/smi"; reference:url,www.spywareguide.com/spydet_30090_passhax.html; classtype:trojan-activity; sid:13814; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC nuclear rat 2.1 variant outbound connection"; flow:to_client,established; flowbits:isset,Nuclear_RAT_2_1_detection; content:"|1E 0D 00 00 00 00 00 00 00 00 00 00 00|"; depth:13; reference:url,en.wikipedia.org/wiki/Nuclear_RAT; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Nuclear%20RAT&threatid=43578; classtype:trojan-activity; sid:13655; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC nuclear rat 2.1 variant outbound connection"; flow:to_server,established; flowbits:set,Nuclear_RAT_2_1_detection; content:"|FF 00|"; depth:2; content:"|00 00 00 01 00 00 00 00 00 00|"; within:10; distance:1; flowbits:noalert; classtype:trojan-activity; sid:13654; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MBR rootkit HTTP POST activity detected"; flow:to_server,established; content:"POST"; http_method; content:"/ld/mat18/s.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.sophos.com/security/blog/2008/01/987.html; classtype:trojan-activity; sid:13625; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC xploit 1.4.5 pc variant outbound connection"; flow:to_client,established; flowbits:isset,Xploit1_4_5_detection; content:"|01 00|"; depth:2; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Xploit&threatid=48489; reference:url,spywaredetector.net/spyware_encyclopedia/Backdoor.Xploit.htm; classtype:trojan-activity; sid:13509; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC xploit 1.4.5 variant outbound connection"; flow:to_server,established; content:"|00 01|"; depth:2; offset:1; content:"Minutes"; nocase; content:"|00 A1 0F 00 00 00|"; distance:0; flowbits:set,Xploit1_4_5_detection; flowbits:noalert; classtype:trojan-activity; sid:13508; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC evilotus 1.3.2 variant outbound connection"; flow:to_server,established; flowbits:isset,Evilotus_detection; content:"|0C|~|7F D8|"; depth:4; content:"|00 00 00|d|C8 00 00|"; within:8; distance:1; content:"|00 00 00|"; within:3; distance:1; reference:url,attack.mitre.org/techniques/T1014; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Rootkit.Evilotus.A&threatid=124679; reference:url,www.megasecurity.org/trojans/e/evilotus/Evilotus1.3.2.html; classtype:trojan-activity; sid:13507; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC yuri 1.2 variant outbound connection"; flow:to_server,established; flowbits:isset,Yuri_1_2_detection; content:"|7C|"; nocase; content:"|7C|"; distance:0; nocase; content:"|7C|Yuri"; distance:0; nocase; content:"v1."; distance:0; nocase; content:"|7C|"; distance:0; nocase; pcre:"/\x7C\d+\x2E\d+\x2E\d+\x2E\d+\x7C.*\x7CYuri\s+v1\x2E\d+\x7C/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Yuri%20RAT&threatid=48528; classtype:trojan-activity; sid:13248; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC troll.a variant outbound connection"; flow:to_server,established; content:"terServer"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a[^\r\n]*terServer/iH"; metadata:service http; reference:url,www.econsultant.com/spyware-database/t/trojandownloader-win32-troll.html; reference:url,www.sophos.com/virusinfo/analyses/trojtrolla.html; classtype:trojan-activity; sid:12661; rev:10;)
# alert tcp $HOME_NET [37,31415,31416] -> $EXTERNAL_NET any (msg:"MALWARE-CNC lithium 1.02 variant outbound connection"; flow:to_client,established; flowbits:isset,Lithium1.02_detection; content:"|00 00 00 00 00 04 00|"; offset:1; reference:url,www.spywareguide.com/product_show.php?id=658; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-061113-2401-99; classtype:trojan-activity; sid:12166; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [37,31415,31416] (msg:"MALWARE-CNC lithium 1.02 variant outbound connection"; flow:to_server,established; content:"|24 00 00 00 00 00 03 00 0D 00 00 00|"; depth:12; flowbits:set,Lithium1.02_detection; flowbits:noalert; classtype:trojan-activity; sid:12165; rev:6;)
# alert tcp $HOME_NET 1339 -> $EXTERNAL_NET any (msg:"MALWARE-CNC killav_gj"; flow:to_client,established; content:"Server|3A|"; nocase; content:"Root"; distance:0; nocase; content:"kit"; distance:0; nocase; content:"scaner"; distance:0; nocase; pcre:"/^Server\x3a[^\r\n]*Root[^\r\n]*kit[^\r\n]*Scaner/smi"; reference:url,karus-software.at/portal/modules.php?name=Virenlexikon&suche=t&submit=suche&show=Win.Trojan.KillAV.GJ; classtype:trojan-activity; sid:11950; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 51d 1b variant outbound connection icq notification"; flow:to_server,established; content:"/wwp/msg/1,,,00.html"; nocase; http_uri; content:"Uin=223220036"; nocase; http_uri; content:"Name=51D"; nocase; http_uri; content:"Send="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084229; classtype:trojan-activity; sid:10447; rev:9;)
alert tcp $HOME_NET any -> 85.17.3.250 80 (msg:"MALWARE-CNC Win.Trojan.Duntek Checkin GET Request"; flow:to_server,established; content:"cmp=dun_tek"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99&tabid=2; classtype:trojan-activity; sid:10403; rev:10;)
alert udp $HOME_NET 7871 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Peacomm command and control propagation detected"; flow:to_server,no_stream; content:"|E3 0C|"; depth:2; content:"|00 00 00 00 A0 0F 00|"; depth:7; offset:18; detection_filter:track by_src, count 100, seconds 300; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; classtype:trojan-activity; sid:10114; rev:12;)
alert udp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Peacomm command and control propagation detected"; flow:to_server,no_stream; content:"|E3 0C|"; depth:2; content:"|00 00 00 00 A0 0F 00|"; depth:7; offset:18; detection_filter:track by_src, count 100, seconds 300; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; classtype:trojan-activity; sid:10113; rev:12;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNfY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10077; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALNBp"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10076; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCCaI2wFrGFEtU9IAAA5jAAAArAAAJgAALEir"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10075; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVee+"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10074; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCEgAH0PRKH5o+uIAAF5sAAAAwgAAJgAAVW0u"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10073; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7+1C"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10072; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/dT"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10071; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA73lo"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10070; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA78Ej"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10069; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7xSw"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10068; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA71DL"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10067; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCOoZ0r3G4BoF+sIAADJgAAAArAAAJgAAuru3"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10066; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Peacomm smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACeJY"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10065; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC apofis 1.0 variant outbound connection php notification"; flow:to_server,established; content:"/Notificacion.php"; nocase; http_uri; content:"puerto="; nocase; http_uri; content:"version=1.0"; nocase; http_uri; content:"nombre="; nocase; http_uri; content:"pc="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.megasecurity.org/trojans/a/apofis/Apofis1.0.html; classtype:trojan-activity; sid:9653; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC bagle.a http notification detection"; flow:to_server,established; content:"/1.php?p="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"beagle_beagle"; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*beagle_beagle/smiH"; metadata:impact_flag red, policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9418; rev:14;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC yarner.b smtp propagation detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"Trojaner-Info<webmaster@trojaner-info.de>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Trojaner-Info Newsletter"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Trojaner-Info<webmaster@trojaner-info\x2Ede>/smi"; pcre:"/^Subject\x3A[^\r\n]*Trojaner-Info\sNewsletter/smi"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips drop, service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-021912-4244-99&tabid=2; classtype:trojan-activity; sid:9329; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC x2a variant outbound connection client update"; flow:to_server,established; content:"/app.txt"; nocase; http_uri; content:"x-2.gq.nu"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136; classtype:trojan-activity; sid:8080; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC war trojan ver1.0 variant outbound connection ie hijacker"; flow:to_server,established; content:"/top100"; nocase; http_uri; content:"webfringe"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7805; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC analftp 0.1 variant outbound connection icq notification"; flow:to_server,established; content:"/wwp/msg/1,,,00.html"; http_uri; content:"uin="; nocase; http_uri; content:"name="; nocase; http_uri; content:"Anal FTP"; http_uri; content:"send=yes"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59411; classtype:trojan-activity; sid:7762; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC nova 1.0 variant outbound connection cgi notification client-to-server"; flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; distance:0; nocase; http_uri; content:"nick="; distance:0; nocase; http_uri; content:"os="; distance:0; nocase; http_uri; content:"compname="; distance:0; nocase; http_uri; content:"protected="; distance:0; nocase; http_uri; flowbits:set,nova_cgi_cts; flowbits:noalert; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7742; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC prorat 1.9 cgi notification detection"; flow:to_server,established; content:"/cgi-bin/prorat.cgi"; nocase; http_uri; content:"bilgisayaradi="; nocase; http_uri; content:"ipadresi="; nocase; http_uri; content:"serverportu="; nocase; http_uri; content:"kurban="; nocase; http_uri; content:"servermodeli="; nocase; http_uri; content:"serversaati="; nocase; http_uri; content:"servertarihi="; nocase; http_uri; content:"serversifre="; nocase; http_uri; content:"islem="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html; reference:url,www.virustotal.com/#/file/6b34c4bc2821b7f3edb75d374bdcb53a/detection; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779; classtype:trojan-activity; sid:7722; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC roach 1.0 server installation notification - email"; flow:to_server,established; content:"/roach/mail.php"; nocase; http_uri; content:"port="; nocase; http_uri; content:"name="; nocase; http_uri; content:"pw="; nocase; http_uri; content:"lanby="; nocase; http_uri; content:"to="; nocase; http_uri; content:"www.kornputers.com"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964; classtype:trojan-activity; sid:7704; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC air variant outbound connection webmail notification"; flow:to_server,established; content:"/air/notify/mail.php?"; nocase; http_uri; content:"controlport="; nocase; http_uri; content:"webserverport="; nocase; http_uri; content:"to="; nocase; http_uri; content:"ip="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794; classtype:trojan-activity; sid:7640; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC air variant outbound connection php notification"; flow:to_server,established; content:"/roach/notify/getip.php"; nocase; http_uri; content:"www.kornputers.com"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076794; classtype:trojan-activity; sid:7639; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC hornet 1.0 variant outbound connection icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=Hornet+Server"; nocase; content:"fromemail=Hornet"; distance:0; nocase; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7637; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Snoopware barok variant outbound connection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Barok.... PSWRD Sender Trojan"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"Barok... email PSWRD sender--- by|3A| spyder"; distance:0; nocase; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=793; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075534; classtype:successful-recon-limited; sid:7183; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 135 (msg:"MALWARE-CNC Hacker-Tool sars notifier variant outbound connection net send notification"; flow:to_server; content:"NUCLEAR-NOTIFY"; nocase; content:"IP|3A|"; distance:0; nocase; content:"OS|3A|"; distance:0; nocase; content:"Sysuptime|3A|"; distance:0; nocase; content:"Trojan|3A|"; distance:0; nocase; content:"Port|3A|"; distance:0; nocase; content:"Password|3A|"; distance:0; nocase; content:"User|3A|"; distance:0; nocase; pcre:"/IP\x3A\s+[^\r\n]*\x0d\x0aOS\x3A\s+[^\r\n]*\x0d\x0aSysuptime\x3A\s+[^\r\n]*\x0d\x0aTrojan\x3A\s+[^\r\n]*\x0d\x0aPort\x3A\s+[^\r\n]*\x0d\x0aPassword\x3A\s+[^\r\n]*\x0d\x0aUser\x3A\s+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7151; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Hacker-Tool sars notifier variant outbound connection irc notification"; flow:to_server,established; content:"{IP}"; nocase; content:"{OS}"; distance:0; nocase; content:"{Uptime}"; distance:0; nocase; content:"{Trojan}"; distance:0; nocase; content:"{PSW}"; distance:0; nocase; content:"{Port}"; distance:0; nocase; content:"{User}"; nocase; pcre:"/\x7BIP\x7D[^\x7D\r\n]*\x7BOS\x7D[^\x7D\r\n]*\x7BUptime\x7D[^\x7D\r\n]*\x7BTrojan\x7D[^\x7D\r\n]*\x7BPSW\x7D[^\x7D\r\n]*\x7BPort\x7D[^\x7D\r\n]*\x7BUser\x7D/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7150; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hacker-Tool sars notifier variant outbound connection php notification"; flow:to_server,established; content:"/?action=post"; fast_pattern; nocase; http_uri; content:"log="; http_uri; pcre:"/log\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7149; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Hacker-Tool sars notifier variant outbound connection icq notification"; flow:to_server,established; content:"/whitepages/page_me/1,,,00.html?"; fast_pattern; nocase; http_uri; content:"to="; nocase; http_uri; content:"from="; nocase; http_uri; content:"fromemail="; nocase; http_uri; content:"body="; nocase; http_uri; pcre:"/body\=\x7BIP\x3A[^\x7B\r\n]*\x7D\x7BOS\x3A[^\x7B\r\n]*\x7D\x7BSysuptime\x3A[^\x7B\r\n]*\x7D\x7BTrojan\x3A[^\x7B\r\n]*\x7D\x7BPort\x3A[^\x7B\r\n]*\x7D\x7BPassword\x3A[^\x7B\r\n]*\x7D\x7BUser\x3A/smi"; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078294; classtype:misc-activity; sid:7147; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC y3k 1.2 variant outbound connection user-agent string detected"; flow:to_server,established; content:"ipwHTTP"; nocase; http_header; content:"devSoft"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*devSoft\x27s\s+ipwHTTP\s+Component/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7118; rev:13;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC y3k 1.2 variant outbound connection icq notification"; flow:to_server,established; content:"from=Y3K"; nocase; content:"Server"; distance:0; nocase; content:"fromemail=y3k"; distance:0; nocase; content:"subject=Y3K"; distance:0; nocase; content:"online"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7116; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC gwboy 0.92 variant outbound connection"; flow:to_server,established; flowbits:isset,GWBoy_InitConnection1; dsize:<50; content:"|02 01 03 05|"; depth:4; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7103; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC minimo v0.6 variant outbound connection icq notification"; flow:to_server,established; content:"/friendship/email_thank_you"; nocase; http_uri; content:"failed_url="; nocase; http_uri; content:"folder_id="; nocase; http_uri; content:"extra_params_counte="; nocase; http_uri; content:"nick_name="; nocase; http_uri; content:"user_email="; nocase; http_uri; content:"user_uin="; nocase; http_uri; content:"friend_nickname="; nocase; http_uri; content:"friend_contact="; nocase; http_uri; content:"friend_conta"; nocase; http_uri; pcre:"/^User-Agent\x3A[^\r\n]*http\s+protocol/smiH"; metadata:impact_flag red, service http; classtype:trojan-activity; sid:7077; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC minimo v0.6 variant outbound connection cgi notification"; flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"nick=minibeta"; nocase; http_uri; content:"country="; nocase; http_uri; content:"visible="; nocase; http_uri; content:"protected="; nocase; http_uri; content:"about="; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:7076; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.dumaru.gen variant outbound connection cmd"; flow:to_server,established; content:"/admin/socks/bot/cmd.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.vil.mcafeesecurity.com/vil/content/v_125643.htm; classtype:trojan-activity; sid:7074; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.dumaru.gen variant outbound connection notification"; flow:to_server,established; content:"/admin/logger.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"machineid="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"iplan="; nocase; http_uri; content:"backtrust.com"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.vil.mcafeesecurity.com/vil/content/v_125643.htm; classtype:trojan-activity; sid:7073; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.loosky.gen variant outbound connection notification"; flow:to_server,established; content:"/synctl/ping.pl"; fast_pattern; nocase; http_uri; content:"ip="; nocase; http_uri; content:"speed="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.sophos.com/virusinfo/analyses/w32looskyl.html; classtype:trojan-activity; sid:6474; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC a-311 death user-agent string detected"; flow:to_server,established; content:"A-311 Server"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778; classtype:trojan-activity; sid:6396; rev:11;)
# alert tcp $HOME_NET 16661 -> $EXTERNAL_NET any (msg:"MALWARE-CNC a-311 death variant outbound connection server-to-client"; flow:to_client,established; content:"A-311 Death welcome"; depth:19; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076778; classtype:trojan-activity; sid:6395; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC globalkiller1.0 variant outbound connection notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; content:"from=MondoHack"; nocase; content:"fromemail="; nocase; content:"subject="; nocase; content:"body="; nocase; content:"to="; nocase; content:"send="; nocase; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6331; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC cia 1.3 variant outbound connection icq notification"; flow:to_server,established; content:"/friendship/email_thank_you?"; nocase; http_uri; content:"nick_name=CIA-Test"; nocase; http_uri; content:"user_email=ciatest@icq.com"; nocase; http_uri; content:"friend_nickname=CIA-Notify-Tezt"; nocase; http_uri; pcre:"/\x2Ffriendship\x2Femail_thank_you\?[^\r\n]*nick_name=CIA-Test[^\r\n]*friend_nickname=CIA-Notify-Tezt/Ui"; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6300; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC insurrection 1.1.0 variant outbound connection icq notification 2"; flow:to_server,established; content:"/cgi-bin/blah.cgi"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"id=Insurrection"; nocase; http_uri; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6297; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC insurrection 1.1.0 variant outbound connection icq notification 1"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from="; nocase; content:"fromemail="; nocase; content:"subject=Insurrection+Page"; nocase; content:"body="; nocase; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6296; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC justjoke v2.6 variant outbound connection"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=JJB+Server"; nocase; content:"fromemail=JJB"; nocase; content:"subject=JJB+Pager"; nocase; content:"body=JJ+BackDoor+-+v"; nocase; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073017; classtype:trojan-activity; sid:6291; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC optix 1.32 variant outbound connection icq notification"; flow:to_server,established; content:"/whitepages/page_me/1,,,00.html"; nocase; http_uri; content:"to="; nocase; content:"from="; nocase; content:"fromemail="; nocase; content:"body="; nocase; pcre:"/body=\x2521\x2521\x2521Optix\s+Pro\s+v\d+\x252E\d+\S+sErver\s+Online\x2521\x2521\x2521/smi"; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6115; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC freak 1.0 variant outbound connection icq notification"; flow:to_server,established; content:"/scripts/WWPMsg.dll"; nocase; http_uri; content:"from=FrEaK_ViCTiM"; nocase; http_uri; content:"fromemail=FrEaK"; nocase; http_uri; content:"subject=FrEaK+SERVER"; nocase; http_uri; content:"body="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6071; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC optixlite 1.0 variant outbound connection icq notification"; flow:to_server,established; content:"from=Optix Lite"; nocase; http_uri; content:"fromemail="; nocase; http_uri; content:"subject=From Optix Lite"; nocase; http_uri; content:"body="; nocase; http_uri; content:"to="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6069; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC neurotickat1.3 variant outbound connection cgi notification"; flow:to_server,established; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"win="; nocase; http_uri; content:"pass="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"id=NEUROTICKA"; nocase; http_uri; content:"s7pass="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6059; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC neurotickat1.3 variant outbound connection icq notification"; flow:to_server,established; content:"Uin="; nocase; http_uri; content:"Name=The Hosts port is"; nocase; http_uri; content:"Name=Your Host is"; nocase; http_uri; content:"Send=yes"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6058; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC fear 0.2 variant outbound connection cgi notification"; flow:to_server,established; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"id=FeaR-Server"; nocase; http_uri; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"connection="; nocase; http_uri; content:"s7pass="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6043; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC fear 0.2 variant outbound connection php notification"; flow:to_server,established; content:"body=FeaR"; fast_pattern:only; http_uri; pcre:"/body=FeaR\x25200\x2E2\x2E0\x2520Online\x3A\x2520\x5BIP_\d+\x2E\d+\x2E\d+\x2E\d+\x5D\x2520\x5BPort_/smi"; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6042; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC fade 1.0 variant outbound connection notification"; flow:to_server,established; content:"win="; nocase; http_uri; content:"rpass="; nocase; http_uri; content:"ServerType=Fade"; nocase; http_uri; content:"id="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6039; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC fkwp 2.0 variant outbound connection icq notification"; flow:to_server,established; content:"folder_id="; nocase; http_uri; content:"params_count="; nocase; http_uri; content:"nick_name="; nocase; http_uri; content:"user_email=fkwp@yahoo.com"; nocase; http_uri; content:"user_uin="; nocase; content:"friend_nickname="; nocase; content:"friend_contact="; nocase; content:"x="; nocase; content:"y="; nocase; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/spydet_3088_eltc_editorfkwp.html; classtype:trojan-activity; sid:6029; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC silent spy 2.10 variant outbound connection icq notification"; flow:to_server,established; content:"/argh/notify.php?emailaddr="; nocase; http_uri; content:"msg=SERVER"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"SiLENT"; nocase; http_header; content:"SPY"; nocase; http_header; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6023; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC dsk lite 1.0 variant outbound connection php notification"; flow:to_server,established; content:"/crakzpackz/sys/add.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"vicname="; nocase; http_uri; content:"server=DSK"; nocase; http_uri; content:"password="; nocase; http_uri; content:"usrname="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6020; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC dsk lite 1.0 variant outbound connection cgi notification"; flow:to_server,established; content:"/cgi-bin/log.cgi?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"vicname="; nocase; http_uri; content:"server=DSK"; nocase; http_uri; content:"password="; nocase; http_uri; content:"usrname="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6019; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC dsk lite 1.0 variant outbound connection icq notification"; flow:to_server,established; content:"/whitepages/page_me.php?"; nocase; http_uri; content:"from=DSK"; distance:0; nocase; http_uri; content:"fromemail=Dsk"; distance:0; nocase; http_uri; content:"subject=Vics"; distance:0; nocase; http_uri; content:"body=DSK"; distance:0; nocase; http_uri; content:"to="; distance:0; nocase; http_uri; content:"Send="; distance:0; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6018; rev:8;)
# alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection port 63536"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3016; rev:10;)
# alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3015; rev:10;)
# alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum 0.1 connection"; flow:to_client,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:ruleset community; classtype:misc-activity; sid:3014; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"MALWARE-CNC Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3013; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick upload/execute arbitrary file"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; metadata:ruleset community; classtype:misc-activity; sid:3012; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get system directory"; flow:to_server,established; content:"SYSDIR"; depth:6; metadata:ruleset community; classtype:misc-activity; sid:3011; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get windows directory"; flow:to_server,established; content:"WINDIR"; depth:6; metadata:ruleset community; classtype:misc-activity; sid:3010; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; metadata:ruleset community; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:9;)
# alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; metadata:ruleset community; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"index.aspx?"; http_uri; pcre:"/index\x2easpx\x3f[0-9a-fA-F]{2}\x3d\d{1,7}I\d{1,10}/U"; content:"Cookie: B="; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/c12c593553214c3c5fa230f2576b610adcc1a1074fc2dae2431699012589af70/analysis/; classtype:trojan-activity; sid:27003; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"index.aspx?"; pcre:"/index\x2easpx\x3f[0-9a-fA-F]{2}\x3d\d{1,7}I\d{1,10}/"; content:"Cookie: B="; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/c12c593553214c3c5fa230f2576b610adcc1a1074fc2dae2431699012589af70/analysis/; classtype:trojan-activity; sid:27002; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"|11 00 00 00 BD B4 E8 BE B6 75 9C A0 80 44 8B EB 82 8B A3 93|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:27000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chinoxy variant outbound connection"; flow:to_server,established; content:"new/f21312a"; fast_pattern; http_uri; content:"baidu.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ad424e0a59135e4d2b1b1ac984bc8a4c1566e147478064d9d5c0fe5031cf6433/analysis; classtype:trojan-activity; sid:26999; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC OSX.Trojan.Morcut file download"; flow:to_client,established; file_data; content:"skype.skype|00|com"; nocase; content:"adiumX.adiumX|00|sem-mdworker|00|SM"; fast_pattern:only; content:"/tmp/launchch-%d|00|command"; nocase; content:"sandbox_check|00|appleHID"; nocase; content:"inputLoggerHook|00|initWithCString"; nocase; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a84f70ba6d868b9095758c0aa5b3980521e24d6e11d264e389b59c08bcfed2ef/analysis/1371835560/; classtype:trojan-activity; sid:26998; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Morcut variant outbound connection"; flow:to_server,established; content:"Content-Length|3A| 112|0D 0A|"; http_header; content:"User-Agent|3A| Mozilla/5.0 (Macintosh|3B| U|3B| Intel Mac OS X 10_6_7|3B| en-us) AppleWebKit/534.16+ (KHTML|2C| like Gecko) Version/5.0.3 Safari/533.19.4"; fast_pattern:only; http_header; content:"Content-Type: application/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a84f70ba6d868b9095758c0aa5b3980521e24d6e11d264e389b59c08bcfed2ef/analysis/1371835560/; classtype:trojan-activity; sid:26997; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/svc.dat"; http_uri; content:"User-Agent:Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26996; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"/opt.dat"; http_uri; content:"User-Agent:Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/FFF7840FFB18110BBED8872DEFB6F6DA7243DD840A1A611016C44312CB40974C/analysis/; classtype:trojan-activity; sid:26995; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; content:"fetch.py"; fast_pattern:only; http_uri; content:"method|3D|POST|26|encoded|5F|path"; nocase; content:"|26|headers|3D|"; http_client_body; content:"|26|postdata|3D|"; http_client_body; content:"|26|version|3D|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:26987; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Xenil variant outbound connection"; flow:to_server,established; content:"|0A 00 00 11 00 00 00 00|"; depth:8; isdataat:!199; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/27334d1c4dd2a98c2ec9f5f97fed469b445459691bc09e33c0382be011ef5787/analysis/; classtype:trojan-activity; sid:26986; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TDS Sutra - request in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21846; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Agent.xii variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/financial/curl/"; http_uri; content:"/-/"; distance:0; http_uri; content:"/-/"; within:3; distance:16; http_uri; content:"2.jpg"; within:5; distance:5; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/fc1ccbcac9da126ed8e99f827aef2b1c5a37d86668fec9f85b952d13221f0efb/analysis; classtype:trojan-activity; sid:27114; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/uploading/id="; http_uri; content:"&u="; distance:0; http_uri; content:"=="; distance:0; http_uri; content:!"Referer"; http_header; pcre:"/^\/uploading\/id=\d+\&u=.*==$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27093; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Weavun variant outbound connection"; flow:to_server,established; content:"Io ci sono|0D 0A|"; depth:12; content:"|20 28|version|20|"; depth:64; content:"|29 0D 0A|"; content:"Risoluzione schermo:"; content:"Product ID:"; content:"Memoria utilizzata:"; fast_pattern:only; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/de054ac5225d2afd8b1f18f93b482a2ad668ed4e93adf7178639f4360b06605b/analysis; classtype:trojan-activity; sid:27091; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.HackBack variant outbound connection"; flow:to_server,established; content:"/ADMac/up.php?cname="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27058; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalbot variant outbound connection"; flow:to_server,established; content:"Cookie: CAQGBgoFD1"; fast_pattern:only; content:"CAQGBgoFD1"; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/dbf9d2a7659d09ea7ef2d38f30fa4cfb/analysis/; classtype:trojan-activity; sid:27057; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes variant outbound connection"; flow:to_server,established; content:"=qgAAAAgA"; fast_pattern:only; http_client_body; content:"/report.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27054; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3337 (msg:"MALWARE-CNC Win.Trojan.Dokstormac variant outbound connection"; flow:to_server,established; content:"QDAwMDB+"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27049; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Transhell variant outbound connection user-agent"; flow:to_server,established; content:"="; depth:1; offset:2; http_uri; content:"Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/204c13f7ed2d3e5c78f3ef8a44eb561c/analysis/; classtype:trojan-activity; sid:27033; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4141 (msg:"MALWARE-CNC Win.Trojan.Netweird.A outbound connection"; flow:to_server,established; flowbits:isset,netweird; dsize:5; content:"|01 00 00 00 02|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,blog.webroot.com/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/; classtype:trojan-activity; sid:27023; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 4141 (msg:"MALWARE-CNC Win.Trojan.Netweird.A outbound connection"; flow:to_server,established; dsize:69; content:"|41 00 00 00 03|"; fast_pattern:only; flowbits:set,netweird; flowbits:noalert; metadata:impact_flag red; reference:url,blog.webroot.com/2012/09/14/wirenet-the-password-stealing-trojan-lands-on-linux-and-os-x/; classtype:trojan-activity; sid:27022; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Layvam variant outbound connection"; flow:to_server,established; content:"/cgi/1b50500dad/543/34/84a9dfcd/1056937278"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fdfc0232d2f22dc2459476e6951553a49eaaef4e8013f70a7be93c7b88658a5c/analysis/; classtype:trojan-activity; sid:27021; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Epipenwa variant outbound connection"; flow:to_server,established; content:"/whisperings/whisperings.asp"; fast_pattern:only; content:"name="; http_client_body; content:"&userid="; http_client_body; content:"&other="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4f0532e15ced95a1cebc13dd268dcbe7c609d4da237d9e46916678f288d3d9c6/analysis; classtype:trojan-activity; sid:27014; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Phoenot variant inbound connection"; flow:to_client,established; file_data; content:"<application>"; content:"Liste de toutes les versions de Windows avec lesquelles cette application peut fonctionner"; within:104; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27013; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Phoenot variant outbound connection"; flow:to_server,established; content:"mylogs.php"; fast_pattern:only; http_uri; content:"&username="; content:"&os="; content:"logs="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f2ad0b3639f89dcbe53f7c5917a95e61e53c4e83c54b71c545d277c5a8790404/analysis/; classtype:trojan-activity; sid:27012; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot payment .scr download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:".rdata|00 00 38 58 00 00 00 F0 01 00 00 5A 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27010; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"/col/gate.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27008; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"/col/cfg.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e3e36cbbb983ce6a03aea90eb15393eed58d3199d674d96f4c88134056d258bb/analysis/; classtype:trojan-activity; sid:27007; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/minzhu0906/article/54726977"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e6e009755ab37fa41e92059f29c25518f47ab09dbc881c30c96415ee1048241b/analysis; classtype:trojan-activity; sid:27120; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Wergimog variant outbound connection"; flow:to_server,established; content:"|AF B0 F3 AA F1 98 B0 FF B9 BB AC F0|"; depth:16; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/7f2001246067e618b9bce2bdb1ae8b4ec0cae5e371a140288554dfab43d19ae7/analysis; classtype:trojan-activity; sid:27178; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Atezag variant outbound connection"; flow:to_server,established; content:"/carga1/recept.php"; fast_pattern:only; http_uri; content:"condicao="; nocase; http_client_body; content:"arq="; distance:0; nocase; http_client_body; content:"texto="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2d85447bc2634a2620ad76be2a5eb331f5a06276e5b597d36ba26643850d4dcb/analysis/; classtype:trojan-activity; sid:27169; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:!"Accept-Encoding"; http_header; content:!"Content-Encoding"; http_header; content:!"Transfer-Encoding"; http_header; content:"/swiftone/cxg.bin"; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/5bcb2290a6da89fba85b2724f8d4d661001d1ff90f9ef955f44f6ba623afdbd9/analysis/; reference:url,www.virustotal.com/en/file/69a466e6a61746c872ea1cdcd1ec3610a559d6801a013296ccca3e6f491a5eae/analysis/; reference:url,www.virustotal.com/en/file/81b88a43575b6642fb4ea054a7c02d5a9ce0d0fe8bb360520bf888f5ce5476d8/analysis/; classtype:trojan-activity; sid:27160; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pesut variant outbound connection"; flow:to_server,established; content:"showthread.php"; fast_pattern:only; http_uri; content:"Content-Length: 65"; http_header; content:"id|3D|"; content:"|26|info|3D|"; within:6; distance:32; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c21dad2af378b2fb203ed193bad0f338d792bdae59971cda37c93092e7cddc8f/analysis; classtype:trojan-activity; sid:27159; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eliseantry variant outbound connection"; flow:to_server,established; content:"/"; http_uri; content:"/page_"; within:11; distance:8; http_uri; content:".html"; within:5; distance:8; http_uri; content:"Content-Length: 0"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/43cc54828ba5e8deb457db6aa1903c0ff81cf9a073cd11ef0aa07788cdcc0bcd/analysis; classtype:trojan-activity; sid:27158; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"Firefox/3."; fast_pattern:only; http_header; pcre:"/^\/[A-Z]{6}$/U"; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; offset:6; fast_pattern; http_uri; content:" HTTP/1."; within:11; distance:1; http_header; content:"|0D 0A|User-Agent: Mozilla/"; within:22; distance:1; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yakes Trojan HTTP Header Structure"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".php HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; within:113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/[\x2f\x2b\x3d]/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established; urilen:<34; content:"POST"; http_method; content:"U|3B| MSIE "; http_header; content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound connection"; flow:to_server,established; urilen:111; content:"=="; depth:2; offset:103; content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10; pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27252; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Java.Agent.NFK variant connection"; flow:to_server,established; content:"/cybercrime-suspect-arrested/"; http_uri; content:"s.ini"; within:5; distance:2; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/125bc157262066a8ccf41ed07db712570919fe7aefeae90045de7febe2ed51b4/analysis; classtype:trojan-activity; sid:27260; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lorapu variant outbound connection"; flow:to_server,established; content:"/v12/kkrasxuparola/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/23de6502fbdb613dd9de4c7cdf68f00170cd53e8130af39623b5d9cac3807c92/analysis/; classtype:trojan-activity; sid:27551; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Janicab outbound connection"; flow:to_server,established; content:"hjdullink.nl"; fast_pattern:only; http_header; content:"/images/re.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27547; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Janicab outbound connection"; flow:to_server,established; content:"/watch?v=ky4M9kxUM7Y"; fast_pattern:only; http_uri; content:"youtube.com"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27546; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Janicab outbound connection"; flow:to_server,established; content:"/watch?v=DZZ3tTTBiTs"; fast_pattern:only; http_uri; content:"youtube.com"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27545; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Janicab runtime traffic detected"; flow:to_client,established; file_data; content:"content=|22|just something i made up for fun, check out my website at"; fast_pattern:only; content:"X-YouTube-Other-Cookies:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27544; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; urilen:8; content:"/000.jpg"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Bezigate variant outbound connection"; flow:to_server,established; content:"|7C 00 31 00 7C|"; content:"|7C 00 31 00 2E 00 30 00 7C|"; within:12; distance:11; content:"|7C|"; within:1; distance:3; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/9bc081ad89b23d00f986765232d53f75e9cdd92eabf6239beec0c2a1c7f55764/analysis; classtype:trojan-activity; sid:27558; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"000001000000000000000000"; depth:24; offset:333; content:"Accept-Language: En-us/r/n|0D 0A|"; content:"Accept-Encoding: gzip,deflate/r/n|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/de/file/F1E092D36E21FF5D9FFB455E442A95DBDB9F9A69A9AEDD3EB2CD2500EF418CFE/analysis/; classtype:trojan-activity; sid:27577; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Noobot variant connection"; flow:to_server,established; content:"CLIP=SQA2"; fast_pattern:only; content:"CLIP=SQA2"; http_cookie; content:"|3B|STCD="; content:"|3B|STCD="; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/4f5a82e8e4da3fe45c42a347e460d6d6a8a3444d437a33cadc3a0971d4e8245f/analysis/; classtype:trojan-activity; sid:27601; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nawpers variant connection"; flow:to_server,established; content:"/ini.jpg?mid="; fast_pattern; http_uri; content:"&os="; http_uri; content:"&cid="; within:5; distance:2; http_uri; content:"User-Agent: ie"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/99c696566aad29227352434e1bf8f185b5f63250978025066da82cfb9ece32f5/analysis/; classtype:trojan-activity; sid:27600; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fort Disco Registration variant outbound connection"; flow:to_server,established; content:"/cmd.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redyms variant outbound connection"; flow:to_server,established; content:"&intip="; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"&port="; distance:0; http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betabot variant connection"; flow:to_server,established; content:"/order.php"; http_uri; content:"cc0="; depth:4; fast_pattern; http_client_body; content:"&cc1"; http_client_body; content:"&cs1="; http_client_body; content:"&cs2="; http_client_body; content:"&cs3="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e8e2062026171dd1950a4571846a48dc9ad2c4a42eea0db83e9a4994fa1b05ff/analysis/; classtype:trojan-activity; sid:27643; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downbot variant connection"; flow:to_server,established; content:"/index.htm"; http_uri; content:"User-Agent:"; http_header; content:"+Windows+NT+"; within:25; distance:3; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8cde65e4091da0b5e51df00ac2fd604c89e3256f372a8757c94910228f90ce6c/analysis/; classtype:trojan-activity; sid:27642; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meilat variant connection"; flow:to_server,established; content:"enviamail.php"; http_uri; content:"User-Agent: tiehttp"; fast_pattern:only; http_header; content:"filename="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2b56503a5f696b205b954a4ed5102f2de4be807f0ebcb10de285316f9b6b8bc9/analysis/; classtype:trojan-activity; sid:27641; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chekafe variant connection"; flow:to_server,established; content:"/interface/reg_cookie.jsp"; http_uri; content:"uid="; http_uri; content:"User-Agent: my_check_data"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/716e61b72fd00a4be7f31ed74ba7e5b16b0106047171c47ffe666b608edf5111/analysis/; classtype:trojan-activity; sid:27640; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Epipenwa variant connection"; flow:to_server,established; content:"/aspnet_client/report.asp"; fast_pattern:only; http_uri; content:"name="; depth:6; http_client_body; content:"&Gender="; within:8; distance:8; http_client_body; content:"&Random="; within:8; distance:1; http_client_body; content:"SessionKey="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dbbd5d7944b1791027762a40a70b3c74772a9d31b5c67b6519394a1705edabcc/analysis/; classtype:trojan-activity; sid:27639; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Syhcmd variant connection"; flow:to_server,established; content:"*(SY)# "; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/2392a60647f2eb2ee34b7a7d48e953b9780e6709393d16b56ca810f9a4292c6a/analysis/; classtype:trojan-activity; sid:27637; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Likseput variant connection"; flow:to_server,established; content:"Start OK."; depth:9; http_client_body; content:"User-Agent: Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/191afbd9c5ac94d3d97d040e583fcdc4af9c020c56c691ecfe4e98fa612576ec/analysis/; classtype:trojan-activity; sid:27636; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Silly variant outbound connection"; flow:to_server,established; urilen:7; content:"/ul.htm"; fast_pattern:only; http_uri; content:"|3B| MSIE 6.0|3B 20|"; http_header; content:!"Accept-Language: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27633; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/buy-sell/search.asp?newsid="; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27631; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/bbs/search.asp"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27630; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/tomcat-docs/index.jsp?/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.01|3B| Windows NT 5.0|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27629; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Goolelo variant connection"; flow:to_server,established; content:"/Default.aspx"; http_uri; content:"INDEX="; http_uri; content:"User-Agent: Win"; fast_pattern; http_header; content:"|0D 0A|"; within:2; distance:2; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/406e73948c78b1e692646ea0edbadbb366bede04036114ac2bf86c413d4d4132/analysis/; classtype:trojan-activity; sid:27678; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.evf variant connection"; flow:to_server,established; content:"/space/"; http_uri; content:".gif"; within:4; distance:18; http_uri; content:"User-Agent: User Agent|0D 0A|"; depth:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d0375fb2448e91b47b97f3fb132a6eafd04974da5496c55adb2bdb310e9f5ea3/analysis/; classtype:trojan-activity; sid:27670; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1314 (msg:"MALWARE-CNC Win.Trojan.Castov variant connection"; flow:to_server,established; content:"//tj/"; depth:5; offset:5; content:"form-data|3B| name=|22|logo|22 3B|"; content:"B87DEC0C_KG.z"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/78d271c915cd4eb00fcab54cb40369b69bab13e3bb87db28811a715bd1f86673/analysis/; classtype:trojan-activity; sid:27665; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1314 (msg:"MALWARE-CNC Win.Trojan.Castov variant connection"; flow:to_server,established; content:"/tj/"; depth:4; offset:4; content:"KG"; content:"mac="; content:"User-Agent: tj_KG"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/78d271c915cd4eb00fcab54cb40369b69bab13e3bb87db28811a715bd1f86673/analysis/; classtype:trojan-activity; sid:27664; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Galfun variant outbound connection"; flow:to_server,established; content:"/1.asp?mac="; http_uri; content:"&compter="; within:9; distance:12; http_uri; content:"&flag="; distance:0; http_uri; content:"&run="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/28c6469d7ebbc79e7509d7fc3f4d8a3389c4a79369ccf8ed1b71d55967879c90/analysis/; classtype:trojan-activity; sid:27662; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Reabfrus variant connection"; flow:to_server,established; content:"/logs/login.asp"; http_uri; content:"command="; depth:9; http_client_body; content:"&result=%"; within:14; distance:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/21101ae64d881df51e46be9e4f693a9029862c5dab8a53d504303c53a5d1d7a3/analysis/; classtype:trojan-activity; sid:27661; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Reabfrus variant connection"; flow:to_server,established; content:"/logs/login.asp"; http_uri; content:"User-Agent: Internet SurfBear|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/21101ae64d881df51e46be9e4f693a9029862c5dab8a53d504303c53a5d1d7a3/analysis/; classtype:trojan-activity; sid:27660; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1122 (msg:"MALWARE-CNC Win.Trojan.Gapz variant connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"User-Agent: Simple Agent"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4297fe60c75b807687f87737c495d7743114fddc87b6769463d7526f12c05aec/analysis/; classtype:trojan-activity; sid:27659; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Enchanim variant connection"; flow:to_server,established; content:"i.html?n="; http_uri; content:"pl="; http_uri; content:".exe"; http_uri; content:"System Process"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a74320b4173a2fcdc7c74290a1edf1d760c581605c29e839bf727bb66fe676b7/analysis/; classtype:trojan-activity; sid:27655; rev:2;)
# alert udp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE-CNC Win.Backdoor.Agent variant outbound connection"; flow:to_server; content:"|30 00|"; depth:2; content:"|00 00 00|"; within:3; distance:1; content:"|3D 52 47 0F 00 04 00 00 00 10 00 00 00 00 00 00|"; within:16; distance:2; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/fe4985b13b2270c0e71a2c0755a22c17bba968ac66b94899fe6dccc22aacbd54/analysis/; classtype:trojan-activity; sid:27654; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brazilian Banking Trojan data theft"; flow:to_server,established; content:"POST"; http_method; content:"remetente="; depth:10; http_client_body; content:"&destinatario="; distance:0; http_client_body; content:"&assunto="; distance:0; http_client_body; content:"&mensagem="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27649; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker.ZSL variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"valor="; depth:6; http_client_body; content:"]branco["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a42634a793e27c9533d335b1/analysis/1375811416/; classtype:trojan-activity; sid:27648; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nelaja variant outbound connection"; flow:to_server,established; content:"/key/atualizaCliente.php"; fast_pattern:only; http_uri; content:"nome="; http_client_body; content:"serial="; http_client_body; content:"janela="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f02b875d440ac6e2b9afd8114522b4e9184b48b1c8db5c0b0dc52cbef396f0ad/analysis/; classtype:trojan-activity; sid:27647; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Binjo variant outbound connection"; flow:to_server,established; content:"/regsid.php?windows_name="; fast_pattern:only; http_uri; content:"&email_name="; nocase; http_uri; content:"&email_address="; nocase; http_uri; content:"&url_a="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/488be5e03006bcc49733e71e17da10183c68b4bf23a7c76a0b263eda7cc10741/analysis/; classtype:trojan-activity; sid:27645; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Merong variant connection"; flow:to_server,established; content:"/office/8122.html?"; fast_pattern:only; http_uri; content:"User-Agent: IPHONE"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/864f3e51474a185a589070bfc412ddcc48e7cd60132b4f82ade86aeef83b086b/analysis/; classtype:trojan-activity; sid:27644; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection"; flow:to_server,established; urilen:>95; content:".php HTTP/1.1|0D 0A|User-Agent: Opera/"; fast_pattern:only; pcre:"/(?=^[a-z\x2d\x5f\x2f]{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d?\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27680; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; content:!"Accept|3A| "; content:"GET /"; pcre:"/^GET\s\x2f[A-F0-9]{152}/m"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:27679; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Tartober variant connection"; flow:to_client,established; file_data; content:"<!--<2010QBP "; fast_pattern:only; content:"2010QBP//-->"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/143160f9d34f9e23433b78c2c820906d2814ac17ce625bec423ee547290f1184/analysis/; classtype:trojan-activity; sid:27699; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kolok variant connection"; flow:to_server,established; content:"/update.php?seller="; fast_pattern; http_uri; content:"&build="; within:7; distance:11; http_uri; content:"&version="; within:10; distance:6; http_uri; content:"&connect=1"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/88a9b892455b11be267f7824758625da930b7456a5bc3c488ebec03e03b42b99/analysis/; classtype:trojan-activity; sid:27720; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established; content:!"User-Agent|3A| "; http_header; content:"/stget.php"; fast_pattern:only; http_uri; content:"av="; http_uri; content:"os="; http_uri; content:"vm="; http_uri; content:"digital="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/87bd1619b55d43fe3eb5ffc489b9019f9b8240a8b04678db0111e77ba6168edd/analysis/; classtype:trojan-activity; sid:27711; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection"; flow:to_server,established; urilen:>145,norm; content:".html"; http_uri; content:"|0D 0A|User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; content:!"Cookie:"; http_header; content:!"X-BlueCoat-Via:"; http_header; content:!"Referer"; http_header; pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/U"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:27708; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Treizt variant connection"; flow:to_server,established; content:"/forum/"; http_uri; content:".php"; within:4; distance:32; http_uri; content:"Data="; depth:5; fast_pattern; http_client_body; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/021a371c33a8564658b1b852e321e1a745001c08880f4d77a559115c12b66275/analysis/; classtype:trojan-activity; sid:27759; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banechant outbound variant connection"; flow:to_server,established; content:"/adserv/logo.jpg"; fast_pattern; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV2)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2488e0fe5d01dfd2b9ed782f07910109fa9468c47fe5ee1777766c6a2acc7603/analysis/; classtype:trojan-activity; sid:27747; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Hanthie variant outbound connection"; flow:to_server,established; content:"/hat/gate.php"; fast_pattern:only; http_uri; content:!"Referrer"; http_header; content:!"&"; http_client_body; content:!"%"; http_client_body; pcre:"/^([A-Za-z0-9+\x2f]{4})*([A-Za-z0-9+\x2f]{4}|[A-Za-z0-9+\x2f]{3}=|[A-Za-z0-9+\x2f]{2}==)$/mP"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/bd92ce74844b1ddfdd1b61eac86abe7140d38eedf9c1b06fb7fbf446f6830391/analysis/; classtype:trojan-activity; sid:27746; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/param.php?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27728; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/myinfo.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27727; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/ido.ipl"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27726; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:".htm"; http_uri; content:!"Accept"; http_header; content:"|0A|Content-Length: 164|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:"host|3A|"; nocase; http_header; content:"|2E|"; within:5; http_header; content:"|2E|"; within:4; http_header; content:"|2E|"; within:4; http_header; content:"|6C 55 55 45|"; depth:4; offset:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27775; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; classtype:trojan-activity; sid:27774; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mindweq variant connection"; flow:to_server,established; content:"/images/news.jpg"; fast_pattern:only; http_uri; content:")--"; http_header; content:"Cache-Control: no-cache|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1bf7a67a73501f72c89e9b35e731f13b50c58963cbf44b070b4f44964c5345fd/analysis; classtype:trojan-activity; sid:27811; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Retruse variant connection"; flow:to_server,established; content:"/command.php?a="; fast_pattern:only; http_uri; content:"&user="; http_uri; content:"&region"; http_uri; content:"&hwid="; http_uri; content:"&version="; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5c347485318e20db5e72004f8073d75c9dbc6ed439b3093248275545ee88fadc/analysis; classtype:trojan-activity; sid:27806; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bisonha variant outbound connection"; flow:to_server,established; content:"GET /3001"; fast_pattern; isdataat:260,relative; content:"0000000000000000000000000"; pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20Summit-Espionage-Operation; reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity; sid:27805; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/page/index.php"; nocase; http_uri; content:"foo="; http_cookie; content:"data=RcpTfdssoD9KB9O"; depth:20; fast_pattern; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27804; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/form.php"; depth:9; http_uri; content:"RcpTfdsvoD9KB9O"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27803; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/page/index_htm_files2/"; nocase; http_uri; content:".png"; within:4; distance:3; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27802; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tenavt connection"; flow:to_server,established; content:"/rouji.txt"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (IE7.0 |3B| compatible)|0D 0A|"; http_header; content:"Pragma: no-cache|0D 0A|"; http_header; pcre:"/^\x2frouji.txt$/mU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/989f27483df495073a57189295e603059f7773a73b216d2916ee83b638e86b51/analysis; classtype:trojan-activity; sid:27817; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Helauto variant connection"; flow:to_server,established; content:"CONNECT / "; content:"|0D 0A 0D 0A|Hello.I am here!"; fast_pattern:only; content:!"User-Agent"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a834ac7940783110c1fffef4963e88fea547b5d56a57927cf754b50f5f001d79/analysis/; classtype:trojan-activity; sid:27905; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper outbound connection"; flow:to_server,established; content:"User-agent|3A| Mozilla/5.0 |28|iPad|3B| CPU OS 5_1 like Mac OS X|29| AppleWebKit/534.46 |28|KHTML, like Gecko |29| Version/5.1 Mobile/9B176 Safari/7534.48.3"; fast_pattern:only; http_header; content:"svv="; http_uri; content:"yvx="; http_uri; content:"kmm="; http_uri; content:"smb="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/62ba5ca1c76fed47e4e91e07747b426bd9d95a343289fac28a3f6303863bbc63/analysis/1378829623/; classtype:trojan-activity; sid:27867; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinowal variant connection"; flow:to_server,established; content:"POST"; http_method; content:"/searc"; depth:6; http_uri; content:"?fr=altavista&itag=ody&q="; fast_pattern; http_uri; content:","; within:1; distance:32; http_uri; content:"&kgs=1&kls=0"; within:12; distance:16; http_uri; content:!"User-Agent: "; http_header; content:!"Cookie: "; http_header; content:!"Accept: "; http_header; pcre:"/&q=[a-f0-9]{32},[a-f0-9]{16}&kgs=/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7a34f880b60e3d3e0146ffdc88d53768ac35fd9b6fb2cb5f304d5fce33dae655/analysis; classtype:trojan-activity; sid:27864; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"Accept-Encoding: identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Galock variant connection"; flow:to_server,established; content:"?uid="; http_uri; content:"&os="; distance:0; http_uri; content:"&partner_id="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:"&account={"; distance:0; http_uri; content:"&language="; distance:0; http_uri; content:"&codepage="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/54b1d7a5dfc144d2dff5ba0fcba0b3202120d5dcf7afd0005a993abcf527e1fd/analysis; classtype:trojan-activity; sid:27939; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dofoil variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:!"Referer|3A|"; http_header; content:"User-Agent|3A|"; depth:11; http_header; content:"MSIE"; http_header; content:"application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\d+$/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28040; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy variant outbound connection"; flow:to_server,established; urilen:>95,norm; content:"User-Agent|3A| Opera/10.80 |28|Windows NT 5.1|3B| U|3B| Edition Yx|3B| en|29| Presto/2.9.168 Version/11.52|0D 0A|"; fast_pattern:only; pcre:"/\x2f[a-z-_]{90,}\x2e(html|php)$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28033; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"from=%20Nome..:"; depth:15; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer createproc outbound traffic"; flow:to_server,established; content:"/index.aspx?info=createproc_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28011; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer tserror outbound traffic"; flow:to_server,established; content:"/index.aspx?info=tserror_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28010; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer configkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=configkey"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28009; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer reuse outbound traffic"; flow:to_server,established; content:"/index.aspx?info=reuse"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28008; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer startupkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=startupkey_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28007; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound command"; flow:to_server,established,only_stream; content:"/index.php?"; http_uri; content:"-dsafe_mode"; distance:0; http_uri; content:"-ddisable_functions"; distance:0; http_uri; content:"-dallow_url_fopen"; distance:0; http_uri; content:"-dallow_url_include"; distance:0; http_uri; content:"-dauto_prepend_file"; distance:0; http_uri; content:"echo.txt"; detection_filter:track by_src, count 20, seconds 60; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa20ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity; sid:28005; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus dropper variant connection"; flow:to_server,established; content:"/forums/matrixo/family/xxx/xd/xxx/x.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99/analysis/; classtype:trojan-activity; sid:27970; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [8080] (msg:"MALWARE-CNC Win.Trojan.Updays variant connection"; flow:to_server,established; content:"Pack|A1 F4|"; depth:6; content:"|A1 F4|Ver1125|A1 F4|Over"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/71aecb9ffc7a883bc715e3fab0a9a4b01e7c2048c0229cece9f4837d6cbf0e72/analysis; classtype:trojan-activity; sid:27969; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Execute"; nocase; http_client_body; content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"caidao="; fast_pattern:only; http_client_body; pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi"; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Response"; nocase; http_client_body; content:"FromBase64String"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data; content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"Gh0st"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:27964; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Lolbot variant outbound connection"; flow:to_server,established; content:"USER onthelinux"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/41A182EED3D98203AF1BAD86B7066BFDD65664BC3DD0990B0059B0A187E7576D/analysis/; classtype:trojan-activity; sid:27963; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mevade variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/er"; nocase; http_uri; content:"|05 19 40 2C EA 2C 4A 81 15 81 9C 0D 26|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fMevade.A&ThreatID=-2147285192; reference:url,www.virustotal.com/en/file/8d19ae32b5d30b6598fd80c89cea57d5d55c33ebac001ba623a4c4c8bca70b62/analysis/; classtype:trojan-activity; sid:27955; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw variant outbound connection"; flow:to_server,established; content:"/ping.html?r="; fast_pattern:only; http_uri; content:!"/utils/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBKrypt variant connection"; flow:to_server,established; content:"/tbaxub.txt"; depth:11; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3493c819333b00b94b1b7843f938d52e1d0151cbb8daede35e8b1cc2b263af88/analysis; classtype:trojan-activity; sid:28045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker variant connection"; flow:to_server,established; content:"/crypt_1_sell"; fast_pattern:only; http_uri; pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload download"; flow:to_server,established; content:".jpg"; http_uri; content:"User-Agent|3A| runddll32.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28107; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload information upload"; flow:to_server,established; content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0; http_uri; content:"&url="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28106; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/v22/mutabixa/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28105; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ohlat variant connection"; flow:to_server,established; content:"/jjuv"; depth:5; fast_pattern; nocase; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.0|3B| Trident/4.0)"; http_header; content:"Accept-Encoding: identity"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b73784b2a6dc5140d535d132cd297cfa9c37b523c135996ac8b6fa17b72b484c/analysis/; classtype:trojan-activity; sid:28097; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Spynet variant connection"; flow:to_server,established; content:"pong"; depth:4; nocase; content:"Program Manager"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/869d955cbf0ac74ddb316beaa6a9481d9c6fb0c828aa97fc4ac97ce3f728237b/analysis; classtype:trojan-activity; sid:28096; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Liteol variant connection"; flow:to_server,established; content:"/forum/post.php"; http_uri; content:!"User-Agent:"; http_header; content:"LxINAXyI"; depth:8; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f2668ab84dd3fc7d0c8a8ca92ed9563f10fbf6c32f059600a5b91e7cc7204302/analysis/; classtype:trojan-activity; sid:28095; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Liteol variant connection"; flow:to_server,established; content:"/forum/post.php"; http_uri; content:!"User-Agent:"; http_header; content:"tX7ueMcM"; depth:8; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f2668ab84dd3fc7d0c8a8ca92ed9563f10fbf6c32f059600a5b91e7cc7204302/analysis/; classtype:trojan-activity; sid:28094; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hupigon variant connection"; flow:to_server,established; content:"HUC|2D|Flashxp|00 00|"; depth:13; fast_pattern; content:"|00 00|HACK|00 00|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/adf90806f52dbfe411db252d26eb068087f1270e6289653bd3f09c85e2cbef72/analysis/; classtype:trojan-activity; sid:28084; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Napolar data theft"; flow:to_server,established; content:".exe&h="; fast_pattern:only; http_client_body; content:"p="; depth:2; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity; sid:28080; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Napolar variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"v="; http_client_body; content:"|26|u="; within:3; distance:3; http_client_body; content:"|26|c="; distance:0; http_client_body; content:"|26|s={"; distance:0; http_client_body; content:"}|26|w="; within:4; distance:36; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity; sid:28079; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.gzfw connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.2|3B| SV1|3B| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1) |3B| .NET CLR 1.1.4322|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/60ed30efb4475e0cebd56c9dec533f22c019e8293c7a3898accdc526f2bf5e4c/analysis; classtype:trojan-activity; sid:28075; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ADKR connection"; flow:to_server,established; content:"/aces.php"; fast_pattern:only; http_uri; content:"&maq="; http_client_body; content:"&tmp="; http_client_body; content:"&obs="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b61d1a79849727e6feacaca218415ada9961f74188bbc72cc16cdbef57a6d9e2/analysis; classtype:trojan-activity; sid:28074; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32.Kimsuky variant file stealing"; flow:to_server,established; content:"/upload/xhrupload.php"; fast_pattern:only; http_uri; content:"-leeks-"; http_header; content:".hwp|22|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0bdee5c43a7a92f69552b765d7c714793d29519ec2e037dac97e8e2a67dabacc/analysis; classtype:trojan-activity; sid:28073; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Omexo outbound connection"; flow:to_server,established; content:"/track_c.cgi"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"icin|7F|we"; depth:7; http_client_body; content:"|01|IOJ_H|01|"; within:15; distance:63; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7dbc9ee7ab008d7ec1522958d37d8b1a4695a0e9624db19401f7f6dee157e295/analysis/1380218352/; classtype:trojan-activity; sid:28072; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant connection"; flow:to_server,established; content:"JOIN #sp yap|0D 0A|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28134; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant connection"; flow:to_server,established; content:"/conta_infects.php"; fast_pattern:only; http_uri; content:"pcnome="; http_client_body; content:"&veros="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/129ca2cdda99f23740ed581c9106b2bc61166825cd783249061adc0c82b508ee/analysis; classtype:trojan-activity; sid:28125; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/setup.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28123; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/index.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28122; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/welcome.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28121; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/start.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28120; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/search.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28119; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/login.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28118; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/install.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28117; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/home.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28116; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/file.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28115; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/default.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28114; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established; content:"/info.php?message="; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/report.php?id=5117077; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:28192; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 666 (msg:"MALWARE-CNC Win.Trojan.Bifrose variant connection"; flow:to_server,established; content:"|7C 78 01 8D 50|"; depth:5; offset:3; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/73eae4636b39686e0f718bbd1a8413ec6955698d0ee78f1de7f8a6213a44f606/analysis/; classtype:trojan-activity; sid:28166; rev:2;)
# alert tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV attempted file download"; flow:to_server,established; content:"/images/imagelink/link4.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/ee5e4042a8ea7d4e6c62e9fa08ff470911a7cfef0ad0dca82aa55943db9de656; classtype:trojan-activity; sid:28164; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.2"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.2|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.1"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.1|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - /html2/"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/html2/"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mevade variant outbound connection"; flow:to_server,established; content:"|0D 0A|uuid: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; pcre:"/[^\n -~\r]{4}/P"; content:"Content-Type|3A| binary/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b696b6a06889ed52751b39f54/analysis/; classtype:trojan-activity; sid:28148; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; urilen:11; content:"/search?q="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:": no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/search\?q=[0-9]$/Umi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity; sid:28147; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Salgorea variant connection"; flow:to_server,established; content:"|38 CE 64 01 BA 7F 62 03 42 DD 66 05 F4 DB C3 03|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/cd2510bfa5d41ef7b5e3404248b02db0275bfd4a15029799aa2cf67625f5709d/analysis/; classtype:trojan-activity; sid:28146; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Win32.Wpbrutebot variant connection"; flow:to_server,established; dsize:7; content:"getme|0D 0A|"; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/008a65fe1d3975c2e625389093f1052bc74dd583fa11b7702e2918924ed5e6f5/analysis; classtype:trojan-activity; sid:28144; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos outbound connection"; flow:to_server,established; content:"/file/id|3D|AgAgAAEALNABAAEFCBcAAAAAAAAAAAAAAAAAAAAYDAQTCwAAAJS|2D|m8XhETaQrLhtgiZvmW8AAFVVVVVVVVVVVVVVVVVVVVWOLc0BbhE8bv|5F|MAQB0d3N0dHh1fnNnBQYBAgMEBQYBAhORIicaRapDNFYA|25|26rt|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Medfos-A/detailed-analysis.aspx; classtype:trojan-activity; sid:28143; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.banker outbound connection"; flow:to_server,established; content:"/painel/|3F|add|3D|"; http_uri; content:"|26|inf|3D|"; http_uri; content:"User|2D|Agent|3A 20|AutoIt|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/17145306b22b157aa5e63e697e39d0358b5e7d4b12af2720f7c72c2f2eefb367/analysis/1380646075/; classtype:trojan-activity; sid:28141; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bitsto variant connection"; flow:to_server,established; content:"CONNECT /index.asp"; content:"Cache-Control: no-cache|0D 0A 0D 0A|host"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dadfdbe7aa173f42e0c3b67518d3e3e5216db3258df139d6706bb5330fc8a883/analysis/; classtype:trojan-activity; sid:28212; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Worm.IRCbot outbound connection"; flow:to_server,established; content:"JOIN |23 23|3vil n3t|21|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/adb944191af30c48bdd713f184ae3df5185e13eaf817f5fcd37baaa41d235fa6/analysis/1381173689/; classtype:trojan-activity; sid:28211; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Worm.IRCbot outbound connection"; flow:to_server,established; content:"PASS su1c1d3"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/adb944191af30c48bdd713f184ae3df5185e13eaf817f5fcd37baaa41d235fa6/analysis/1381173689/; classtype:trojan-activity; sid:28210; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.IRCbot outbound connection"; flow:to_server,established; content:"/aspnet_client/ip/0xf2.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/adb944191af30c48bdd713f184ae3df5185e13eaf817f5fcd37baaa41d235fa6/analysis/1381173689/; classtype:trojan-activity; sid:28209; rev:4;)
alert tcp $HOME_NET any -> any 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Tuxido outbound connection"; flow:to_server,established; content:"PASS nil"; content:"USER DIX 0|20 2A 20 3A 20|DIX"; fast_pattern:only; content:"NICK A|5B|New|7C|"; pcre:"/NICK A\[New\|(98|Me|NT4.0|2000|XP|Serv2003|Vis|7|Unk)\|x(86|64)\|[A-Z\-]{1,2}\|[0-9]{1,4}\]/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/037fbf414f428b1d2dc63fb7c16a77aeb7421d2b295a97eec2cf0af379699f4b/analysis/1381249077/; classtype:trojan-activity; sid:28239; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Hdslogger outbound connection"; flow:to_server,established; content:"Heart"; depth:5; content:"|C4 02 00 00|"; within:12; content:"|66|"; within:8; content:"|9C 00 00 00|"; within:12; content:"|20|MB"; distance:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service java_rmi; reference:url,virustotal.com/en/file/5832fbbfaced9d48e2d000e56eb73bb043b9be4b37e7cb7347b68d8922d3a0f4/analysis/1381166490/; classtype:trojan-activity; sid:28234; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Boot.Bootroot Variant data upload"; flow:to_server,established; content:"/count.asp?"; fast_pattern:only; http_uri; content:"userid="; http_uri; content:"mac="; http_uri; content:"ver="; http_uri; content:"os=Windows "; nocase; http_uri; content:"flag="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1cfa93a7425562a9fdf6d02d9e6f5c2f2b6bdc0470515d95343ddaf3198d7e6; classtype:trojan-activity; sid:28230; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC known malware FTP login"; flow:to_server,established; content:"PASS 6a5124c7|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/42133f36c00b02055df7843b3bb240615dc42126a341352b95fcf0bcba74d496/analysis/; classtype:trojan-activity; sid:28216; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Perl.Shellbot variant outbound connection"; flow:to_server,established; content:"|3A|New Generation 2013"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/76B21ADF6DF117BC24F87F1BF0B67EF0A36B58F82AAB3BB7D8D0290AD3509DB6/analysis/; classtype:trojan-activity; sid:28254; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Security Cleaner Pro Install Confirmation"; flow:to_server, established; content:"/index/install/?id="; fast_pattern:only; http_uri; content:"advertid="; nocase; http_uri; content:!"User-Agent|3A 20|"; http_header; content:!"Accept-Language|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ccb6353ce1a0b047aae3620428c7dc430918833aedc56ed01098e174c0942139/analysis/1380892332/; classtype:trojan-activity; sid:28250; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; content:"|00 65 00 33 00 62 00 32 00 63 00 30 00 39 00 39 00 39 00 32 00 34 00 32 00 39 00 64 00 61 00 39 00 37 00 36 00 36 00 66 00 65 00 34 00 32 00 35 00 36 00 35 00 61 00 33 00 35 00 62 00 64 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/3ba3069fa4f846544ea88744227021889f459c2d85548e3348be10e13a6285cd/analysis; classtype:trojan-activity; sid:28247; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Phrovon outbound connection"; flow:to_server,established; urilen:11; content:"/ddd/"; fast_pattern:only; http_uri; pcre:"/\/ddd\/[a-z]{2}.gif/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d4fdedbe5891a13bd83b9d90f39a951ffa2f144df0b5d0ed613f7a107e6da1ad/analysis/1380571953/; classtype:trojan-activity; sid:28244; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KanKan variant connection"; flow:to_server,established; content:"/?u="; depth:4; http_uri; content:"&u2="; http_uri; content:"&u5=inststart"; http_uri; content:"NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28242; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established; content:"/?gws_rd=cr"; fast_pattern:only; http_uri; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding: gzip"; http_header; pcre:"/^\/get.php\?invite=.*?=$/mU"; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"FromBase64String"; http_client_body; content:"z"; within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mecifg variant outbound connection"; flow:to_server,established; content:"Cookie: sk="; fast_pattern:only; content:"sk="; depth:3; http_cookie; content:"data="; depth:5; http_client_body; pcre:"/^data=(?P<match>[\da-fA-F]{2})[0-9a-fA-F]{14,26}(?P=match)[\da-fA-F]+$/Pm"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f8a572d40fa107d766ae01ac02171dfcc445721a16d7f158d567dca83ffb104f/analysis; classtype:trojan-activity; sid:28305; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant connection"; flow:to_server,established; content:"/status/?&cmp="; fast_pattern; http_uri; content:"&src="; distance:0; http_uri; content:"&status=start"; distance:0; http_uri; content:!"User-Agent: "; http_uri; content:!"Accept"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee3524983ec6962b4061813c/analysis/1381409595/; classtype:trojan-activity; sid:28300; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Venik variant outbound connection"; flow:to_server,established; content:"|78 7C 71 4C 4A 49 49 49 4A 4C 46|"; fast_pattern:only; content:"|6D 7C|"; depth:2; offset:147; content:"Zkj"; within:3; distance:33; content:"IPAPEPKBDFFK"; within:12; distance:111; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/D426869F3DC8C7FFA65D1CF6E4FFF8470AC5C0B39A03DAFF4D6CAA0AC806E7C9/analysis/; classtype:trojan-activity; sid:28366; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC Win.Backdoor.Hupigon variant outbound connection"; flow:to_server,established; content:"HGZ5"; depth:4; fast_pattern; content:"|3C 2F|IM|3E 3C|GR|3E|"; within:20; distance:1; content:"|3C 2F|GR|3E 3C|SYS|3E|"; within:32; content:"|3C 2F|SYS|3E 3C|NE|3E|"; within:56; content:"|3C 2F|NE|3E 3C|VER|3E|"; within:23; content:"|3C 2F|VER|3E 3C|BZ|3E|"; within:24; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/en/file/dc7eff130baefff62c554db34be9ff040c01df34ad3c4f74883d68b5ab8acca6/analysis/; classtype:trojan-activity; sid:28328; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Zuza variant outbound connection"; flow:to_server,established; content:"gkxlwkeyon|40 40 40|"; http_client_body; pcre:"/\x40\x40\x40([0-9A-Z]{2}\x2D){5}[0-9A-Z]{2}/iP"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/F7AB0A0D31748D32EF9A4AC6B1EDEAF0FA0B197499D3E20720559FDFEB294EE4/analysis/; classtype:trojan-activity; sid:28326; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Zuza variant outbound connection"; flow:to_server,established; content:"gicp.net"; fast_pattern:only; http_header; urilen:46; content:"/default.asp|3F|"; depth:13; http_uri; content:"D"; within:1; distance:32; http_uri; pcre:"/\x3F[0-9a-z]{32}D/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/F7AB0A0D31748D32EF9A4AC6B1EDEAF0FA0B197499D3E20720559FDFEB294EE4/analysis/; classtype:trojan-activity; sid:28325; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection"; flow:to_server,established; content:"/PHP/develop/sql_send.php?name="; fast_pattern:only; http_uri; content:"&os="; nocase; http_uri; content:"&admin="; distance:0; nocase; http_uri; content:"&ip="; distance:0; nocase; http_uri; content:"&av="; distance:0; nocase; http_uri; content:"&version="; distance:0; nocase; http_uri; content:"&cores="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ee5e4042a8ea7d4e6c62e9fa08ff470911a7cfef0ad0dca82aa55943db9de656/analysis/; classtype:trojan-activity; sid:28411; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CoinMiner variant outbound connection"; flow:to_server,established; content:"/PHP/develop/report.php?name="; fast_pattern:only; http_uri; content:"&msg="; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; content:"&ip="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ee5e4042a8ea7d4e6c62e9fa08ff470911a7cfef0ad0dca82aa55943db9de656/analysis/; classtype:trojan-activity; sid:28410; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri; content:"&pixGuid="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"MALWARE-CNC Linux.Backdoor.Tsunami outbound connection"; flow:to_server,established; content:"NICK"; depth:4; content:"USER"; within:4; distance:11; content:"|3A|raft"; within:5; distance:31; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/92dc4367d3e4500d8c951a7c1ef094407f43e6a1b937d44bff2e62df1eac2a24/analysis/; classtype:trojan-activity; sid:28399; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 (msg:"MALWARE-CNC Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.CBgate variant outbound connection"; flow:to_server,established; content:"|7C 0A|"; depth:5; offset:1; content:"|78 5F 4D 02 64 19 1A FA 8B 56 9F 51 DE 7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/e90ea806f0d9c174fe632f170824e175868431606c0db70773fa8c5597ac42cc/analysis/; classtype:trojan-activity; sid:28444; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bspire variant connection"; flow:to_server,established; content:"bbs/board.php?"; fast_pattern:only; http_uri; pcre:"/bincode=Wz[0-9A-Za-z\x2b\x2f]{32}\x3d{0,2}$/Um"; content:!"User-Agent"; content:!"Accept:"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,www.securelist.com/en/blog/208194231/An_ambush_for_peculiar_Koreans; reference:url,www.virustotal.com/en/file/9de48a8308d0f3ebf23c0ba2a913e44a1ee1608a70bf997f61ce6eb671819c7d; classtype:trojan-activity; sid:28439; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Tesch variant outbound connection"; flow:to_server,established; dsize:51; content:"|30 01 01 00 01 03|"; fast_pattern:only; content:"|28 0A 51|"; depth:3; offset:48; pcre:"/[0-9a-z]{8}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{13}\x28\x0A\x51/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/1f183874e26e6d8b002c676222b07455ac857b65c1493710c0a77195d845395b/analysis/; classtype:trojan-activity; sid:28419; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker outbound connection"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/home/"; fast_pattern; http_uri; content:"Connection: Close|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/876511719fda2fab0438ad29f9cc2f8fd684c1897a88d433f7e9c3f2e85eac0b/analysis/; classtype:trojan-activity; sid:28416; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"info.php?uid="; fast_pattern:only; http_uri; content:"&process="; http_uri; content:"&level="; http_uri; content:"&error="; http_uri; content:"&left="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bf3642afdba75a39a4d1860a18b00ef0a720739a2f5e771788ff5670c2e58765/analysis; classtype:trojan-activity; sid:28415; rev:1;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AllAple Variant ICMP flood"; dsize:33; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; fast_pattern:only; detection_filter:track by_src, count 20, seconds 10; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; reference:url,www.virustotal.com/en/file/a6e05ad7748f9aa5a9ba6bf28b62ef3304319a7bf1699de837cd5019cdce02f5/analysis/; classtype:trojan-activity; sid:28463; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC DeputyDog diskless method outbound connection"; flow:to_server,established; content:"User-Agent: lynx|0D 0A|"; fast_pattern:only; http_header; content:"POST"; http_method; pcre:"/^\x2f[0-9a-f]+$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Codiltak variant outbound connection"; flow:to_server,established; content:"User|2D|Agent|3A 20|ChilkatUpload/2.0|20 28|http|3A|//www.chilkatsoft.com/|29|"; fast_pattern:only; http_header; content:"Keep|2D|Alive|3A 20|300"; http_header; content:"Content|2D|Type|3A 20|multipart/form|2D|data|3B 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f639eb3176848fba1354ba17010eab95d1e46a33afd752c76cf79ee7a487bfd4/analysis/; classtype:trojan-activity; sid:28486; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Khalog variant outbound connection"; flow:to_server,established; content:"/Logs/command.php"; fast_pattern:only; http_uri; urilen:17; content:"Folder|3D|"; depth:7; http_client_body; content:"|26|Req|3D|s"; http_client_body; isdataat:!1,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6158617a9bdeb99b145682cefd1d81105185a5d13ffc2eda9cbb66de701b5a7c/analysis/; classtype:trojan-activity; sid:28485; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Delpbank variant outbound connection"; flow:to_server,established; content:"|3C 7C|Info|7C 3E|"; depth:8; fast_pattern; content:"|3C 7C 3E|Microsoft Windows"; offset:8; content:"|3C 7C 3E 3C 3C 7C|"; isdataat:!1,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/34338c9bfdef11267d7c752df01900e6074ea932baad4ca65eb8bf39134ce366/analysis/; classtype:trojan-activity; sid:28484; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Terminator RAT variant outbound connection"; flow:to_server,established; content:"CONNECT"; nocase; http_method; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0.1.3|3B| Windows NT 5.0"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; classtype:trojan-activity; sid:28482; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qadars variant outbound connection"; flow:to_server,established; content:"webanalytic/analytic.php"; fast_pattern:only; http_uri; content:"=qgAAAAgA"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FQadars.A#tab=2; reference:url,www.virustotal.com/en/file/fe0587480da06bc7c23849c2551a6f58db6ea4cf881f097ac60167422a1ec3fa/analysis/; classtype:misc-activity; sid:28529; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qadars variant outbound connection"; flow:to_server,established; content:"infor.php?uid="; fast_pattern:only; http_uri; pcre:"/infor\.php\?uid=\w{52}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FQadars.A#tab=2; reference:url,www.virustotal.com/en/file/fe0587480da06bc7c23849c2551a6f58db6ea4cf881f097ac60167422a1ec3fa/analysis/; classtype:misc-activity; sid:28528; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.chfx variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Ryeol HTTP Client Class"; fast_pattern:only; http_header; content:"/uplo.php"; depth:9; http_uri; urilen:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/94b153696fc74083d9d9b7e4fbf9f98a9fb74325617553f791151b53ade62aec/analysis/; classtype:trojan-activity; sid:28548; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/contador/informa.php"; fast_pattern:only; http_uri; content:"op=info&informacao="; depth:19; nocase; http_client_body; content:"+%7C+IE+%3D"; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ea3faa484ed0461181543ab111bc11f69bf708b9e3e08d70fa993b85df2f2eb2/analysis/; classtype:trojan-activity; sid:28547; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: "; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/eeaeb1506d805271b5147ce911df9c264d63e4d229de4464ef879a83fb225a40/detection; classtype:trojan-activity; sid:28541; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only; content:"Content-Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|"; content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity; sid:28538; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1314 (msg:"MALWARE-CNC Win.Trojan.Castov variant connection"; flow:to_server,established; content:"/tj/Count.asp?mac="; fast_pattern:only; content:"User-Agent: POSTtj"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58d72bee4a896b700a6a059ec19a6a49a1ce668010e3ef6d14d09d016d52c769/analysis/; classtype:trojan-activity; sid:28559; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/online.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28554; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/main.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28553; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.NXI ftp username connection"; flow:to_server,established; content:"USER shots|40|sonificaton.com|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/1efc8b171b216298acd5ee57008dba55284e8741389cd456a0055d1cdf9b3c63/analysis/; classtype:trojan-activity; sid:28551; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/xSZ64Wiax/ojXVZBxRQVfp6gAUziCGnB8V7Aikbs0Z.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/80120d0d500544c770b52b26945164dd99614101c92b32124cb98504dd89574f/analysis/; classtype:trojan-activity; sid:28607; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6178 (msg:"MALWARE-CNC Win.Trojan.Surtr variant connection"; flow:to_server,established; content:"|0E 01 00 00 0A 00 00 00 64|"; depth:256; offset:144; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/bb7c5c65ae87e61f29f471de3c201222fa0af65f958e587f27a64d206e6024ad/analysis/; classtype:trojan-activity; sid:28606; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kasnam variant connection"; flow:to_server,established; content:"/icons/fm.php?tp=in&tg="; fast_pattern:only; http_uri; content:"-i.txt&"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/89a550801ae858e8a9671fb4d36a3dc2504dd5c724f58b803b1bd9e6400657c8/analysis/; classtype:trojan-activity; sid:28605; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kasnam variant connection"; flow:to_server,established; content:"/icons/tg.php?tp=st&tg="; fast_pattern:only; http_uri; content:".txt&dt=(os)"; http_uri; content:"(/lp)(av)"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/89a550801ae858e8a9671fb4d36a3dc2504dd5c724f58b803b1bd9e6400657c8/analysis/; classtype:trojan-activity; sid:28604; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Lesirt variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla5.1|20 28|compatible|3B 20|MSIE 8.0|3B 20|Win32|29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/d5f139076e5d400cd453d3ec3d44ed212aa73fa8a86af3fe6f8a7dab3e451ac6/analysis/; classtype:trojan-activity; sid:28599; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sluegot variant connection"; flow:to_server,established; content:"/safe/1.asp?rands="; fast_pattern:only; http_uri; content:"acc="; http_uri; content:"str="; distance:0; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| )"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/eec094bd3604a2fd84333113fbc0aee4fe394c5b74c7cc28216aa53d714d1bf3/analysis/; classtype:trojan-activity; sid:28565; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Pkdesco variant outbound connection"; flow:to_server,established; content:"UPDATE|7C|"; fast_pattern:only; content:"|7C|Microsoft Windows"; depth:82; offset:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/f083a25bf39a69a63f2d048ac4ba9b8a68792183250c2d0964ddb7cadd6b5d2d/analysis/; classtype:trojan-activity; sid:28564; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Pkdesco variant outbound connection"; flow:to_server,established; content:"INFECT|7C|"; fast_pattern:only; content:"|7C|Microsoft Windows"; depth:82; offset:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/f083a25bf39a69a63f2d048ac4ba9b8a68792183250c2d0964ddb7cadd6b5d2d/analysis/; classtype:trojan-activity; sid:28563; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sidopa variant outbound connection"; flow:to_server,established; content:"/vbupload.php|3F|pc|3D|"; fast_pattern:only; http_uri; content:"|26|slots|3D 31 26|value1|3D 31 26|value2|3D 32|"; offset:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7ef45380dcaeac418b63e2984153b91d64b5f1a57091450d83ec1edda2f38341/analysis/; classtype:trojan-activity; sid:28562; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Plugx outbound connection"; flow:to_server,established; content:"|D8 D8 D8 D8 27 26 27 27 27 27 27 27 01 23 EE 8D|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/17efd5c1c4dd56d5d0b1f5bb0ffed9ea7f2365b0073166654dc7c102cd5fbf4e/analysis/; classtype:trojan-activity; sid:28561; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Plugx FTP keepalive outbound connection"; flow:to_server,established; content:"|00 00 00 00 04 01 00 00 10 00 00 00 EB A3 E7 BC 7F 26 E8 DD F7 CC 93 09 A4 16 D7 DC|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/17efd5c1c4dd56d5d0b1f5bb0ffed9ea7f2365b0073166654dc7c102cd5fbf4e/analysis/; classtype:trojan-activity; sid:28560; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection"; flow:to_server,established; content:"|C4 DA CD F8|IP|3A|"; depth:7; content:"|BC C6 CB E3 BB FA C3 FB 3A|"; distance:0; content:"(LAN)"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/073a57592298f532dba89d56f7c0cdfbe2fa7610b9c4bde7dd4d1a4f894a7deb; classtype:trojan-activity; sid:28724; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dofoil inbound connection"; flow:to_client,established; content:"|3B 20|filename=exe.exe|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe8925278451713768d938bec86/analysis/; classtype:trojan-activity; sid:28809; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Ptiger variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; http_header; content:"/FC001/"; depth:7; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b5acaefafdfc628e309e86c3cc34967b2cbb51f239fedec56fa81adc1aee58dd/analysis/; classtype:trojan-activity; sid:28808; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 2090 (msg:"MALWARE-CNC Win.Trojan.Palevo outbound connection"; flow:to_server; dsize:21; content:"|00 00|"; depth:2; offset:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,palevotracker.abuse.ch/?ipaddress=209.222.14.3; reference:url,palevotracker.abuse.ch/?ipaddress=31.170.179.179; classtype:trojan-activity; sid:28805; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|&nome="; fast_pattern:only; http_client_body; content:"conteudo="; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28804; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data; content:"UPDATE|7C|"; depth:7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos outbound connection"; flow:to_server,established; urilen:17<>27; content:"ip-who-is.com|0D 0A|"; fast_pattern:only; http_header; content:"/locate-ip/"; depth:11; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:"; depth:45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern; content:"google.com|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Mxtcycle variant outbound connection"; flow:to_server,established; dsize:<400; content:"MXtf3T"; fast_pattern:only; content:"|00 00 88 01|"; offset:8; content:"|66|"; within:1; distance:15; content:"|9C|"; within:1; distance:3; content:"Default"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/en/file/e749873bdf5503a34576fc5a4d34e205e067f28e6a1f594ff1f3496b0f69053c/analysis/; classtype:trojan-activity; sid:28799; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Mutopy variant outbound connection"; flow:to_server,established; content:"/protocol.php|3F|p|3D|"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20 2D|"; http_header; pcre:"/\x3Fp\x3D[0-9]{1,10}\x26d\x3D/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/731e073dfbeab7c30d5c9c9d2d601655d62d1fbf108b60364bd7d68d4843d7e0/analysis/; classtype:trojan-activity; sid:28373; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader.Dtcontx outbound connection"; flow:to_server,established; dsize:15; content:"HTTP1.8 GET|00 00 00 2E|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/D8930647A08B21F5C1E95BAE5E18BD785DD350490691A5D09FBEE98A1DF43FDB/analysis/; classtype:trojan-activity; sid:28418; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9002 (msg:"MALWARE-CNC Win.Trojan.Molgomsg variant outbound connection"; flow:to_server,established; content:"|0D C9 08 00|"; fast_pattern:only; content:"|00 00|"; depth:2; offset:6; content:"|00 00 78|"; within:3; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/6f3e72df3086c5dcf508283f4bfd2d65cbce907e1c140a8f9b1ac922c979f439/analysis/; classtype:trojan-activity; sid:28417; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:"/report"; depth:7; http_uri; content:"_started"; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1598869ba6f98117bee92a108fe4f45bd2240e56daceb867b2535e8e2b16be2c/analysis/; classtype:trojan-activity; sid:28820; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:28817; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Siluhdur variant outbound connection"; flow:to_server,established; content:"OnConnect|7C|"; depth:15; fast_pattern; content:"Detected|7C|"; within:126; distance:15; content:"|7C|OnConnect|7C|"; within:46; distance:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/5e0ecf51b6bbd733d15dc1bb16d3e2da8fd66d804e5d44457ffc2997ea5db45d/analysis/; classtype:trojan-activity; sid:28816; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:!"Accept"; http_header; pcre:"/^id\x3d[A-F\d]{32}(\x26info\x3d[A-F\d]{24})?$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28815; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"/post.aspx?forumID="; fast_pattern:only; http_uri; content:"|0D 0A|URL: http"; depth:11; offset:17; http_client_body; content:!"Accept"; http_header; pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28814; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Ufraie variant outbound connection"; flow:to_server,established; content:"/t/d2hsdWF3O"; depth:12; fast_pattern; http_uri; urilen:>100; content:"/count.htm"; within:120; distance:78; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02e7b80b8b50ec23f3209f179e9e1c2fbb64d1afe768834cc2a48e0e99bf84a5/analysis/; classtype:trojan-activity; sid:28813; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|biz|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:28810; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dipverdle variant outbound connection"; flow:to_server,established; content:"/cp/|3F|logo.jpg"; fast_pattern:only; http_uri; content:"token|3D|78hS"; http_client_body; content:"WQjF"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f3b0757ac15a61d50948140b56b034b9474fc2e2ca14b6225ced6d24f6d09bcf/analysis/; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:28853; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8091 (msg:"MALWARE-CNC Win.Trojan.Yowdab variant connection"; flow:to_server,established; content:"|55 55 09 00|Windows|20|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a55966b4bf708cfb99796f5b6896345d3886263ab7dbc9cf73b883b722bda5a3/analysis/; classtype:trojan-activity; sid:28856; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:"/isa/wp-content/gallery/build.php"; fast_pattern:only; http_uri; content:"titulo="; depth:7; http_client_body; content:"&texto="; distance:0; http_client_body; content:"Computador"; distance:0; http_client_body; content:"Versao%20do%20Win"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2aed1e06c399b34d315e6d627dbc0f25c08426005735d5a5ce58bbdc78b8557a/analysis/; classtype:trojan-activity; sid:28886; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Tavdig variant outbound connection"; flow:to_server,established; content:"/?rank="; fast_pattern; http_uri; content:"number="; depth:7; http_cookie; content:"Result="; depth:7; http_client_body; content:!"&"; http_client_body; pcre:"/^number=[0-9A-F]{32}$/mC"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/; classtype:trojan-activity; sid:28879; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tofsee variant outbound connection"; flow:to_server,established; content:"/tsone/vowet11.dat"; fast_pattern:only; http_uri; content:"wv="; nocase; http_uri; content:"bt="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/60075df25f27bb76dc03e17faa6f9102f605e13c380159d22d52baea8af8ad75/analysis/; classtype:trojan-activity; sid:28864; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Roxfora variant outbound connection"; flow:to_server,established; content:"/newwab/add.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| AutoIt|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/26eb3f2984e318ea7f2f778d7a4131688b48eaa21e3ff1bb8707928f15de8c35/analysis/; classtype:trojan-activity; sid:28861; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Adwind UNRECOM connnection back to cnc server"; flow:to_server,established; dsize:42; content:"|00 28|b7a03a4272d964b2c05897c9273184776c9f526e"; depth:42; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:28858; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Adwind UNRECOM connnection back to cnc server"; flow:to_server,established; dsize:42; content:"|00 28|e3a8809017dd76bd26557a5b923ab2ae16c0cdb3"; depth:42; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:28857; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #test1|20 7C 0D 0A|JOIN #test2|20 7C 0D 0A|JOIN #test3 (null)|0D 0A|"; depth:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28988; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #n jobs|0D 0A|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28987; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Neeris IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #biz abc|0D 0A|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojan-activity; sid:28986; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; content:"/site2/"; http_uri; content:!"Referer|3A| "; http_header; content:"60gp="; http_cookie; content:"60gpBAK="; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28985; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:"/direct.php"; http_uri; content:"?f="; http_uri; content:"&s="; http_uri; pcre:"/\x2Fdirect\.php\x3Ff=[0-9]{8}\x26s=[a-z0-9]{3}\.[a-z]{1,4}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28984; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Steckt IRCbot executable download"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:"/launch.php"; http_uri; content:"?f="; http_uri; content:"&s="; distance:0; http_uri; content:"&is_direct="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28983; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC"; flow:to_client,established; content:"JOIN |3A|#"; content:"!dl http://"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28982; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established; content:"|3B 20|Windows NT 5.0|0D 0A|Host:"; fast_pattern:only; http_header; content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; within:4; distance:36; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Jussuc variant outbound connection"; flow:to_server,established; content:" here and i'm here and ready to DDoS."; fast_pattern:only; content:" :Hello everyone, "; pcre:"/\s\:Hello everyone,\s.*?\shere\sand\si'm\shere\sand\sready\sto\sDDoS\./"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ircd; reference:url,www.virustotal.com/file/7ae9cd702b644b92b273f9de2647578c557a1dc4c43326744e6bb6814c6980e0/analysis/; classtype:trojan-activity; sid:28958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kishlog variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| LOGGING"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a41e807eda79ce6d8089d26aea596264d9f65f9174246adbbec0b331b958932a/analysis/; classtype:trojan-activity; sid:28949; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kishlog variant outbound connection"; flow:to_server,established; content:"/logekle.php?kullanici="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a41e807eda79ce6d8089d26aea596264d9f65f9174246adbbec0b331b958932a/analysis/; classtype:trojan-activity; sid:28948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tapaoux variant connection"; flow:to_server,established; content:"/20121122/1/adslists.php?topic_id="; fast_pattern:only; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/241142ade372cd8d97f113da8685926ac075ae262b0e80a9f613896d46ca64ab/analysis/; classtype:trojan-activity; sid:28947; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download"; flow:to_server,established; content:"/config.php?"; fast_pattern:only; http_uri; content:"version="; http_uri; content:"user="; http_uri; content:"server="; http_uri; content:"id="; http_uri; content:"crc="; http_uri; content:"id="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/17180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/; classtype:trojan-activity; sid:28940; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection"; flow:to_server,established; urilen:>150; content:"/?"; depth:2; http_uri; content:"Firefox/4.0b8pre|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/siU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28930; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Anony variant connection"; flow:to_server,established; content:"/home/index.asp?typeid="; fast_pattern:only; http_uri; content:"Referer: http://www.google.com/"; pcre:"/\/home\/index.asp\?typeid\=[0-9]{1,3}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/130411fdd36046693e5cb49bbee9ccd628bcb4cfb1e581d03e7787d298136f73/analysis/; classtype:trojan-activity; sid:28914; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Limlspy variant outbound connection"; flow:to_server,established; content:"Limitless/Login/submit_log.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/92936c3734c90b25f9b538057d34a077b6342e469771da6b041ce4e1079d2a1b/analysis/; classtype:trojan-activity; sid:29026; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cordmix variant outbound connection"; flow:to_server, established; content:"User-Agent|3A 20|NOKIAN95/WEB"; fast_pattern:only; http_header; urilen:1; content:"GET"; http_method; content:!"|0D 0A|Referer"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/34d20db5a3e9b452dee28e7dd7349956f665a74dc7857b0ccd2f0ec19f28d66f/analysis/; classtype:trojan-activity; sid:29016; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Dotconta variant outbound connection"; flow:to_server,established; content:"POST /cgi-bin/ldr.cgi"; depth:21; content:"|0D 0A 0D 0A||5B|-----------------------------1-----------------------------|5D||0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/20de25f115d5445f97520547c0812ae67910d5b98a9372502520b5a6fe63d71d/analysis/; classtype:trojan-activity; sid:29011; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Bunitu variant outbound connection"; flow:to_server,established; dsize:44; content:"|00 01 01 00 00 01 00 00 00 00 00 00|"; fast_pattern:only; content:"|05 00|"; depth:2; offset:16; content:"|00 00 00 00|"; within:4; distance:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d84c7f491b7c66f3f2cd638b94aaa87e11ca0818ffcce89fd6ba459786ac28f9/analysis/; classtype:trojan-activity; sid:28996; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"BaitNET.core"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/80570512f0195dc1164631bf48f65b5f3d07db80938c55dc06d3255ab8fadf7a/analysis/; classtype:trojan-activity; sid:28995; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Backdoor Remote Shell Server download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"BaitNET.core"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/80570512f0195dc1164631bf48f65b5f3d07db80938c55dc06d3255ab8fadf7a/analysis/; classtype:trojan-activity; sid:28994; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot FTP data exfiltration"; flow:to_server,established; content:"STOR si_"; content:".cb"; within:50; metadata:impact_flag red, service ftp-data; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; classtype:trojan-activity; sid:28991; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot connection to cnc server"; flow:to_server,established; content:"/t"; http_uri; content:"POST"; http_method; content:"v=3&c="; depth:6; http_client_body; content:"=="; within:2; distance:66; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3104ff71bf880bc40d096eca7d1ccc3f762ea6cc89743c6fef744fd76d441d1b/analysis/; classtype:trojan-activity; sid:28990; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egobot variant outbound connection"; flow:to_server,established; content:"/micro/advice.php?arg1="; fast_pattern:only; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-3333; reference:cve,2011-0609; reference:url,www.virustotal.com/en/file/be3cb2fa0eeb30ce84b9dd197389ddec9f5ba0976393a35bcddb2403ea53a0d4/analysis/; classtype:trojan-activity; sid:28989; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant inbound connection"; flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; http_header; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8111 (msg:"MALWARE-CNC Win.Trojan.Umberial variant outbound connection"; flow:to_server,established; content:"|71 74 B6 B6 B6 B6 B6 B6 B6 B6 B6 B6|"; fast_pattern; content:"|67 8D 90 D6|"; distance:0; content:"|B6 B6 FF FF FF FF|"; distance:0; pcre:"/\xb6\xb6\xff\xff\xff\xff$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a18370a748ef40b3b066fde1fc3c07c69ad32a08bdcefbb0b10bd42280ef0f18/analysis/; classtype:trojan-activity; sid:29058; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8256 (msg:"MALWARE-CNC Installation Win.Trojan.Umberial variant outbound connection"; flow:to_server,established; content:"/plus.asp?"; depth:14; fast_pattern; content:"query="; distance:0; content:"User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; distance:0; content:!"|0D 0A|Accept"; pcre:"/^GET\x20\/plus\x2easp\?[^\r\n]*?query=[a-z0-9+\/]{2,40}@{0,2}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a18370a748ef40b3b066fde1fc3c07c69ad32a08bdcefbb0b10bd42280ef0f18/analysis/; classtype:trojan-activity; sid:29057; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Descrantol variant outbound connection"; flow:to_server,established; content:"/modules/db/mgr.php?F=3?mgn&Auth="; fast_pattern; http_uri; content:"&Session="; distance:0; http_uri; content:"&DataID="; distance:0; http_uri; content:"&FamilyID="; distance:0; http_uri; content:"&BranchID="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f09a400bf8abb19d57ecc0c34b7fe989b34b43019770216c46ae05bd54da41a3/analysis/; classtype:trojan-activity; sid:29056; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lorask variant outbound connection"; flow:to_server,established; content:"/images/stories/SOJHA"; fast_pattern:only; http_uri; urilen:21; content:!"|0D 0A|Cookie"; http_header; content:!"|0D 0A|Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b2b35b1d958999ad258deecfd02074c425e778f266c07641795cc362c5b8eeb4/analysis/; classtype:trojan-activity; sid:29045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lorask variant outbound connection"; flow:to_server,established; content:"/modules/mod_acepolls/n_01.php?MC="; depth:34; fast_pattern; http_uri; content:"|3A|"; distance:0; http_uri; content:"|3A|"; within:3; http_uri; content:!"|0D 0A|Cookie"; http_header; content:!"|0D 0A|Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b2b35b1d958999ad258deecfd02074c425e778f266c07641795cc362c5b8eeb4/analysis/; classtype:trojan-activity; sid:29044; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server, established; content:"/memberlist.php"; fast_pattern:only; http_uri; urilen:15; content:"POST"; http_method; content:"Referer: http://www.google.com"; http_header; content:"|92 DB FB 69 EB B2|"; depth:6; http_client_body; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 2.0|3B| Windows NT 5.0|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/188163a0a5203cab7d29a75c725aac17a5770d599114b6f7b019c71025fb3dba/analysis/; classtype:trojan-activity; sid:29039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant initial outbound connection"; flow:to_server, established; content:"/auth.php"; fast_pattern:only; http_uri; urilen:9; content:"GET"; http_method; content:"Referer: http://www.google.com"; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 2.0|3B| Windows NT 5.0|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/188163a0a5203cab7d29a75c725aac17a5770d599114b6f7b019c71025fb3dba/analysis/; classtype:trojan-activity; sid:29038; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Mojap variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; http_header; content:"yAIAA"; depth:5; http_client_body; content:"Content-Length: 956"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a36246266f06ddf5d6607781f0c75a91a58ee1a4a6835de371869818eded9d47/analysis/; classtype:trojan-activity; sid:29138; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587,2525,2526] (msg:"MALWARE-CNC Win.Trojan.Neos variant outbound connection"; flow:to_server,established; file_data; content:"Victim Computer Name|3A 20|"; fast_pattern:only; content:"|0D 0A|Victim Username|3A 20|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/63cdfbfbbbc50b06acb75e6059cf63721cb814cd825b9e5d29b7a0b50bc8d78b/analysis/; classtype:trojan-activity; sid:29136; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2024 (msg:"MALWARE-CNC Win.Trojan.Bfddos variant outbound connection"; flow:to_server,established; dsize:<256; content:"BFDDOS+"; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b1b61a6cfe722c8f745bb7895a2420bff043516ac6809cbe99c82db62ac120d1/analysis/; classtype:trojan-activity; sid:29135; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Goobraz variant outbound connection"; flow:to_server,established; content:"/tmp/contato/index.php"; fast_pattern:only; http_uri; content:"op="; depth:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/46713474c7b1cf3f90756e9c0dcec74f8f87fb3958152ce4835523f703c1689b/analysis/; classtype:trojan-activity; sid:29133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri; content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29127; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Valden variant outbound connection"; flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; content:"data="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/07ee4c383f052047a66ffb7ec93a2ae75f5a6c08bee20c3a0c57e59da1309c80/analysis/; classtype:trojan-activity; sid:29125; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 133 (msg:"MALWARE-CNC Win.Trojan.Tyaui variant outbound connection"; flow:to_server,established; content:"GET /count.php?u=YT"; depth:19; fast_pattern; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.00|3B| Windows 98)"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a01dccf9f983c4e3d5a99f8e2103dcb3cdef6505cd30f15491dbea6adb0e9e56/analysis/; classtype:trojan-activity; sid:29117; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Alset variant outbound connection"; flow:to_server,established; dsize:<380; content:"|3F|T|3D|machineinfo|26 26|Key|3D|"; fast_pattern:only; content:"User-Agent|3A 20|Tesla"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service java_rmi; reference:url,www.virustotal.com/en/file/b9b595a153a4f7d36a300cebcbe08d6f4e773c3a3f29250957bf11506b0b931a/analysis/; classtype:trojan-activity; sid:29115; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sotark variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|AMAZON|28|Host|3A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5f8406986c8edd9d4453f36783459625f4fbf28a6216855ea69b6291c94a36dd/analysis/; classtype:trojan-activity; sid:29114; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8889 (msg:"MALWARE-CNC Win.Trojan.Conrec variant outbound connection"; flow:to_server,established; content:"|0D 0A|Accept: Accept: */*"; content:"|0D 0A|Action="; distance:0; content:"Name="; distance:0; content:"Version="; distance:0; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/31a579c78067881ede5bbacdb2f73ac046bd3a9794f755ac217795d4d22afddb/analysis/; classtype:trojan-activity; sid:29113; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Drafukey variant outbound connection"; flow:to_server,established; content:"/ping.php?"; depth:10; http_uri; content:"mc="; http_uri; content:"name="; http_uri; content:"fi="; http_uri; content:!"|0D 0A|User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/aacb126e0a05e8b3aa08e7abae9c28f1d5638a26201d51d6d8668aee4235f867/analysis/; classtype:trojan-activity; sid:29112; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Drafukey variant outbound connection"; flow:to_server,established; content:"/report.asp"; nocase; http_uri; content:!"User-Agent|3A|"; http_header; content:"&machine="; fast_pattern:only; http_client_body; content:"username="; depth:9; http_client_body; content:"&id="; distance:0; http_client_body; content:"&mac="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/793ed3882e24f5b80d6085f86b0a835147f9ff04120de5a8eeae0848d4c89e1e/analysis/; classtype:trojan-activity; sid:29109; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.SixMuch variant outbound connection"; flow:to_server,established; content:"/cike.php?fid="; depth:14; http_uri; content:"cid="; distance:0; http_uri; content:"ver="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fadbf5d8176216d1cb23ea29f2fbcb502a935f36ca16d0d9608512494b3615ee/analysis/; classtype:trojan-activity; sid:29108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Iniptad variant outbound connection"; flow:to_server,established; content:"/VKI/support_ikv.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/eb7ef75c363d12cbe6ec268d49f4b8cdece847ce19181e0ea5440f991527a3a2/analysis/; classtype:trojan-activity; sid:29104; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Korhigh variant outbound connection"; flow:to_server,established; content:"|BB A7 A7 A3 D3 C2 DD|"; depth:7; content:"|A0 A6 B0 B0 B6 A0 A0|"; within:172; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/6452133d10f0ac5cdeea84a170765a215101e83ce045303ea32b8d4d3b6240d9/analysis/; classtype:trojan-activity; sid:29103; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Fotip FTP file upload variant outbound connection"; flow:to_server,established; content:"STOR PIC|5F|"; content:"|5F 20 5F|"; within:11; pcre:"/STOR\x20PIC\x5f\d{6}[a-z]{2}\x5f\x20\x5f\d{7}\x20\x2e\d{3}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/7cf757e0943b0a6598795156c156cb90feb7d87d4a22c01044499c4e1619ac57/analysis/; classtype:trojan-activity; sid:29095; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 146 (msg:"MALWARE-CNC Win.Trojan.Choxy variant outbound connection"; flow:to_server,established; content:"GET /ip3.asp?ip="; depth:16; content:"&dz="; within:19; content:"&rnd="; distance:0; content:!"|0D 0A|Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b96f9ea18222f50ddc5b40d2d9916c42f3f531fe9af0f1ba9f0422556f6c3727/analysis/; classtype:trojan-activity; sid:29091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Kboy variant outbound connection"; flow:to_server,established; dsize:<160; content:"|C4 4C 87 3F 11 1E C4 1A|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/5ba8c42807bee050aa474fe3c876936d196c65dca9895ccd2e317133188c905e/analysis/; classtype:trojan-activity; sid:29087; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ldmon variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|tiny-dl/nix"; fast_pattern:only; http_header; content:"|3F|id|3D|"; http_uri; content:"|26|did|3D|"; distance:1; http_uri; content:"|26|hsig|3D|"; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ce9f2dcad397340fb0758867d8391ed9ad2f8559611300f44eead6bef217595e/analysis/; classtype:trojan-activity; sid:29082; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Budir initial variant outbound connection"; flow:to_server,established; content:"/global.php?info"; depth:16; fast_pattern; http_uri; content:"POST"; http_method; content:"pasport="; depth:8; http_client_body; content:"pcname="; distance:0; http_client_body; pcre:"/User-Agent\x3a\x20[^\x0d\x0a]*?\x3bU\x3a[^\x0d\x0a]{1,68}\x3brv\x3a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d11133b69a72f1cb9d1ee5c33c9ffe442b654a14e901654c79bcf2250d29bbf/analysis/; classtype:trojan-activity; sid:29081; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Inftob variant outbound connection"; flow:to_server,established; content:"/tmp/bots/getinfo.php?info="; fast_pattern:only; http_uri; content:"%20%20%20[System%20Process]%20"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d0d0376d32ebfd2b3ed66d66ae47521b3266b895528e97133eeae6b0f6e9c5d/analysis/; classtype:trojan-activity; sid:29079; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Platidium variant outbound connection"; flow:to_server,established; content:"UserAgent|3A|Mozilla"; fast_pattern:only; http_header; urilen:>350; content:"|3D|OGQwZWFmOD"; depth:30; offset:21; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d54898e5463dcf4c5a3deaf626704d92831c7336c374d25e7234a95d9cf02d5a/analysis/; classtype:trojan-activity; sid:29077; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Epixed variant outbound connection"; flow:to_server,established; content:"/loader/get.php|3F|ID|3D|"; fast_pattern:only; http_uri; content:"|26|EXE|3D|"; offset:39; http_uri; content:"|26|V|3D|"; within:4; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e318ca375472fc8b8ae779a53bfa8cfc757146e1e8da7ceca75b790adf5f3376/analysis/; classtype:trojan-activity; sid:29076; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Firefly outbound communcation"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla|0D 0A|"; fast_pattern:only; http_header; content:"/vhost/rev.php"; depth:14; http_uri; content:"ExEsign|3A|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0d65e5843bacbf6793fd572bd747a76c99fe245b3ea5f91d647c6067b7707b4d/analysis/; classtype:trojan-activity; sid:29075; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maetdik variant outbound connection"; flow:to_server,established; content:"/bot/1.php?"; depth:11; http_uri; content:"pc="; distance:0; http_uri; content:"pccode="; distance:0; http_uri; content:"ip="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/336ad95431ef2cbff776af1457b07837c71111dd315be1712c824746e0fd0497/analysis/; classtype:trojan-activity; sid:29074; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maetdik variant initial outbound connection"; flow:to_server,established; content:"/bot/command.txt"; fast_pattern:only; http_uri; urilen:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/336ad95431ef2cbff776af1457b07837c71111dd315be1712c824746e0fd0497/analysis/; classtype:trojan-activity; sid:29073; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-CNC Win.Trojan.Wcvalep variant outbound connection"; flow:to_server,established; content:"POST /0000/a"; depth:12; fast_pattern; content:"|2E|asp"; within:14; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0)"; distance:0; content:"|0D 0A 0D 0A 5C|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0754c283725a6cc8d63208c1f8330bed32c21d356971095156e75013ef5c45a5/analysis/; classtype:trojan-activity; sid:29071; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"MALWARE-CNC Win.Trojan.Tapazom variant outbound connection"; flow:to_server,established; content:"GIVEME|7C|"; depth:7; content:"|7C|"; within:21; content:"|7C|"; within:5; content:"|7C 0A|"; within:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/44732b30c2d45a21368f8ac07069dac178315acec40c119897705225c3afbfd7/analysis/; classtype:trojan-activity; sid:29068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tenad variant outbound connection"; flow:to_server,established; urilen:19<>26,norm; content:"/control/update.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/80b1e7c967bc4634e4eaf3d8501c357e629e7df06ca76987e06090a63bc2489c/analysis/; classtype:trojan-activity; sid:29179; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Retsaw variant outbound connection"; flow:to_server,established; content:"Name=, i have been infected"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4089A7B2F9C2C85BAD4BE39BDE805302CC45AEAD8B9F3650FFB668AC329B2D22/analysis/; classtype:trojan-activity; sid:29176; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Sitrof variant outbound connection"; flow:to_server,established; content:"/ftsri.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29175; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Vwealer outbound connection"; flow:to_server,established; content:"PASS 14021991c"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/d84f770edaab7c3878985e71d76a6484423c4aca215937ac244dcf57f8497c35/analysis/; classtype:trojan-activity; sid:29155; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Yohakest variant followup outbound connection"; flow:to_server,established; content:"/hack/command.php?computer="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d39543d91c17eae377b068cfb52f911d42efb6ea3566eebb202192ca92dbc3ee/analysis/; classtype:trojan-activity; sid:29154; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Yohakest variant file upload outbound connection"; flow:to_server,established; content:"/hack/up.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"User-Agent|3A| WarpHTTP"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d39543d91c17eae377b068cfb52f911d42efb6ea3566eebb202192ca92dbc3ee/analysis/; classtype:trojan-activity; sid:29153; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Yohakest variant initial runtime outbound connection"; flow:to_server,established; content:"/hack/action.php?computer="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d39543d91c17eae377b068cfb52f911d42efb6ea3566eebb202192ca92dbc3ee/analysis/; classtype:trojan-activity; sid:29152; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Janicab outbound connection"; flow:to_server,established; content:"/gsn.php|3F|new|3D|"; fast_pattern:only; http_uri; content:"|26|av|3D|"; http_uri; pcre:"/\?new\=.*?\:.*?\&v\=\d\.\d\.\d\&av\=/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7371d6fd67e261292ff6709b3c078acbb4e542f49cb50cfb8a2185a9d245cbdf/analysis/; classtype:trojan-activity; sid:29149; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Huxerox variant outbound connection"; flow:to_server,established; content:"/1.asp?login=Windows"; depth:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9974a916c3f86062e31e876c7f27f337afd3eceb7732bb4f38b26a6cfc81cc6c/analysis/; classtype:trojan-activity; sid:29148; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.RansomCrypt variant outbound connection"; flow:to_server,established; urilen:1; content:"form-data|3B| name=|22|cmd|22 0D 0A 0D 0A|cr|0D 0A|--"; depth:100; http_client_body; content:"--|0D 0A|"; within:4; distance:20; http_client_body; content:"Media Center PC 6.0|3B| MASE)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9df6a1f3eef45d15f9a3c587b3fa0ef02c25b40da8c8c87293e5c442c991fd6c/analysis/; classtype:trojan-activity; sid:29146; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tearspear variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20 3B|WinName|3D|Microsoft"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c02f0c48fef2521080bd8728d7d7fa31e282bed7e8f430eedcbef3815a74e2f0/analysis/; classtype:trojan-activity; sid:29140; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxydown variant connection"; flow:to_server,established; content:"/header.php?"; depth:12; http_uri; content:"ah8d"; within:4; distance:8; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f981405016f2d8f4cb3fdd2f85c17f91a36491e2fcb2d703112eff103db25450/analysis/; classtype:trojan-activity; sid:29313; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Fraxytime outbound connection"; flow:to_server,established; dsize:20; content:"|14 00 00 00 02 00 14 20 02 05 05 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b9a713ebd6c95171c25f6ebb7b987155031b2ecc23778a1ce8561c0dbd0db47c/analysis/; classtype:trojan-activity; sid:29307; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Popyerd variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; http_header; content:"/panel/connect.php"; http_uri; content:"username="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/61bb7bac35fb31428f607b1a192b15e7f0ff0dd2c3ae26ad82639e34dc72a9a1/analysis/; classtype:trojan-activity; sid:29306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Verbscut variant outbound connection"; flow:to_server,established; content:"Accept|3A 20 2A 0D 0A|"; fast_pattern:only; http_header; content:"conteudo="; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5634b5d2086e69be47fac7a3e6f8c35f7111bef72c40a39aad76205b7efe62ec/analysis/; classtype:trojan-activity; sid:29304; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Diswenshow outbound connection"; flow:to_server,established; content:"/url.asp|3F|UK0718-ShowNewsID-"; fast_pattern:only; http_uri; urilen:>49; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2defe5528ee557da0c6b76cf3a26cca66351a1decf5a67e9e1006cbafcd12918/analysis/; classtype:trojan-activity; sid:29302; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mizzmo variant outbound connection"; flow:to_server,established; urilen:18; content:"/rss/newsfull.html"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/61bb7bac35fb31428f607b1a192b15e7f0ff0dd2c3ae26ad82639e34dc72a9a1/analysis/; classtype:trojan-activity; sid:29301; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound connection"; flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nineblog variant outbound connection"; flow:to_server,established; content:"/9blog/client.php"; fast_pattern:only; http_uri; content:"name="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/91b9522c2863908a648ec9b49c88a48af7918e8ae6f48db0e9ed39c9b13412c9/analysis/; classtype:trojan-activity; sid:29299; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Boda variant initial outbound connection"; flow:to_server,established; dsize:24; content:"|30 31 31 33 0C 00 00 00 08 00 00 00 19 FF FF FF FF 00 00 00 00 11 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d1cb0c44bc113c1b4fece0c1fc0a80ffb9771016ce49b52b09a07de03b4aa0bd/analysis/; classtype:trojan-activity; sid:29295; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Boda variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| lynx|0D 0A|"; content:"Content-Length|3A| 2|0D 0A|"; distance:0; content:"|0D 0A 0D 0A|AA"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d1cb0c44bc113c1b4fece0c1fc0a80ffb9771016ce49b52b09a07de03b4aa0bd/analysis/; classtype:trojan-activity; sid:29294; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Chulastran variant initial version check outbound connection"; flow:to_server,established; content:"GET /version.txt HTTP/1.1|0D 0A|Host|3A| 199.91.173.43|0D 0A|Accept|3A| */*|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13296d371501726c0fcb7f1dbb9f125939bc0905f7a19ad3812ffab350974b51/analysis/; classtype:trojan-activity; sid:29293; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Chulastran variant outbound connection"; flow:to_server,established; content:"/fetch_updates_8765.php?compname="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13296d371501726c0fcb7f1dbb9f125939bc0905f7a19ad3812ffab350974b51/analysis/; classtype:trojan-activity; sid:29292; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Stitur variant outbound connection"; flow:to_server,established; urilen:>69; content:"/indexrc4.php?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/94b636c6c1858c584850b25cdcfaf3a6a0f9f68d81113a0de28aa78d38cf4c3e/analysis/; classtype:trojan-activity; sid:29291; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kmnokay outbound connection"; flow:to_server,established; content:"/baner.php|3F|C|3D|"; fast_pattern:only; http_uri; content:"|26|V|3D|"; offset:14; http_uri; content:"|26|T|3D|S"; within:5; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1f9a482ede8b061dcc4694cc78f2ef9d49fcf51261bcc4248785510aaa1318b2/analysis/; classtype:trojan-activity; sid:29289; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri; content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"/se/gate.php"; http_uri; content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: "; fast_pattern:only; pcre:"/\x3d\x0a$/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity; sid:29216; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Mowfote variant initial outbound connection"; flow:to_server,established; content:"User-Agent|3A| InetURL|3A|/1.0|0D 0A|Host|3A| etymologie-occitane.fr|0D|"; fast_pattern:only; http_header; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c9bb1e05c2ab4dfb0682177ab440054ebebb195eebb4994b1e4c22157ce3f42b/analysis/; classtype:trojan-activity; sid:29359; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cidox variant outbound connection"; flow:to_server, established; urilen:30<>33,norm; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(letr|req|opt|eve)\/[0-9a-fA-F]{24}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c2d15a75d99dbe6576ed2a024a66f38a179f60b53aefde50d68eac2ca193e2a/analysis/; classtype:trojan-activity; sid:29356; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeagle outbound connection"; flow:to_server,established; content:"cmd|3D|"; depth:4; http_client_body; content:"|26|dados|3D|"; fast_pattern:only; http_client_body; pcre:"/^cmd\x3D[a-z]+?\x26dados\x3D(?:\d\x257C){2}.{1,16}\x257C/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bed065e8839b81d069eb3549214b875e0e84aa1fa489fdd182d82150514106c2/analysis/; classtype:trojan-activity; sid:29353; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Typdec variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| yahoo html|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/aa94057d957736005bd6c70dba96b39b60121e0a4b35db03d5b9dfdbf5e58537/analysis/; classtype:trojan-activity; sid:29352; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Bulilit variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| E.WinInet 1.0|0D 0A|"; fast_pattern:only; http_header; content:"/count.asp"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e069f1c14ece298aa0cb7c9509e019c747f1d255f34040e5f58eea93b08cf310/analysis/; classtype:trojan-activity; sid:29351; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern; http_client_body; content:"&tmp="; distance:0; http_client_body; content:"&stat="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8769 (msg:"MALWARE-CNC Win.Trojan.Chifan variant outbound connection"; flow:to_server,established; content:"/getBB.php?id="; depth:14; fast_pattern; content:"&ver="; within:22; distance:17; content:"&uid="; within:10; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/26cb61cae1f8c6ce15e2b3585f9d6050b81bbfeb93c307f7a6ab20d2f6a4c95f/analysis/; classtype:trojan-activity; sid:29348; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Dondat variant outbound connection"; flow:to_server,established; content:"/tj/databack.asp?fl=OK&x="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/95ad3716b554d38992237279957f9a1a28a5e5822cd4c32dab4b6c19c524d56c/analysis/; classtype:trojan-activity; sid:29345; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Dondat variant outbound connection"; flow:to_server,established; content:"/tj/databack.asp?pn="; fast_pattern:only; http_uri; content:"&s="; offset:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/95ad3716b554d38992237279957f9a1a28a5e5822cd4c32dab4b6c19c524d56c/analysis/; classtype:trojan-activity; sid:29344; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Plusau outbound connection"; flow:to_server,established; content:"Mozilla/ 4.0|2B 28|compatible|3B 2B|MSIE|2B|8.0|3B 2B|Windows|2B|NT|2B|5.1|3B 2B|SV1|3B 2B 28|R1|2B|1.5|29 3B 2B|.NET"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/795fa2f04fc525279b92c16e03c5f1bb2d8ce4006034895a47f1c3ef59042f55/analysis/; classtype:trojan-activity; sid:29340; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kishop variant initial runtime outbound connection"; flow:to_server,established; content:"/wa/lgate.php?"; fast_pattern:only; http_uri; content:"type="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/49143355FED4993209A8A4168C6387E7DE8A71FDCC17971DB8E78471B2EA76A3/analysis/; classtype:trojan-activity; sid:29339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8086 (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST /top/to1.asp HTTP/1.0|0D 0A|"; fast_pattern:only; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7fc70b83ce36cf32ba8dcf131516de8791ba0d793299f6cedac18ba958e2b136/analysis/; classtype:trojan-activity; sid:29337; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 921 (msg:"MALWARE-CNC OSX.Trojan.CallMe variant outbound connection"; flow:to_server,established; content:"Trojan run|0A|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/c4b6845e50fd4dce0fa69b25c7e9f7d25e6a04bbca23c279cc13f8b274d865c7/analysis/; classtype:trojan-activity; sid:29335; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Aokaspid outbound connection using other"; flow:to_server,established; content:"GHz|0D CE B4 D6 AA 0D 20|"; fast_pattern:only; content:"Windows"; content:"MB|0D|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b7bc9bfeaf55591a22bcf13fa77f91c77114729e2ca4c1df6ba6bb66be442759/analysis/; classtype:trojan-activity; sid:29334; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Aokaspid outbound connection using proxy server"; flow:to_server,established; content:"GHz|0D B4 FA C0 ED 0D 20|"; fast_pattern:only; content:"Windows"; content:"MB|0D|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b7bc9bfeaf55591a22bcf13fa77f91c77114729e2ca4c1df6ba6bb66be442759/analysis/; classtype:trojan-activity; sid:29333; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Aokaspid outbound connection using lan"; flow:to_server,established; content:"GHz|0D C4 DA CD F8 0D 20|"; fast_pattern:only; content:"Windows"; content:"MB|0D|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b7bc9bfeaf55591a22bcf13fa77f91c77114729e2ca4c1df6ba6bb66be442759/analysis/; classtype:trojan-activity; sid:29332; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Aokaspid outbound connection using modem"; flow:to_server,established; content:"GHz|0D CD E2 CD F8 0D 20|"; fast_pattern:only; content:"Windows"; content:"MB|0D|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b7bc9bfeaf55591a22bcf13fa77f91c77114729e2ca4c1df6ba6bb66be442759/analysis/; classtype:trojan-activity; sid:29331; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Piedacon variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|Y29ubmVjdA=="; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d66262b736bbe3b10b433b804af8f20532855394f12400b17c4b80299b455c9f/analysis/; classtype:trojan-activity; sid:29330; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1994,81] (msg:"MALWARE-CNC Win.Trojan.Horsamaz outbound connection"; flow:to_server,established; dsize:<80; content:"|0B 64 DE 9B CA 9B C0 05 BC CE 3B|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/1c255aa7b960c07971de778746f53e3549e3c3e15b8d3a9c3b81f584f3dca814/analysis/; classtype:trojan-activity; sid:29325; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vivia variant outbound connection"; flow:to_server,established; content:"/systemcheck/info.php"; fast_pattern; http_uri; content:"system="; http_client_body; content:"poster.version"; http_client_body; content:"ie.patches"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0acbc171d16c538546935e63256e3e1396a82756df7c4b048fba6dd147631f75/analysis/; classtype:trojan-activity; sid:29324; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2080 (msg:"MALWARE-CNC Win.Trojan.Alusins variant outbound connection"; flow:to_server,established; dsize:<140; content:"|B0 B2 FC|"; depth:3; content:"|FC A0 A6 FC|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9611a49d0181a2c81d319517fede0878c8112f8fd344a1c606c15cd63659e77e/analysis/; classtype:trojan-activity; sid:29389; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established; dsize:5; content:"|05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration"; flow:to_server,established; dsize:>1440; content:"|03 2B 82 86 02 A0 05|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:2;)
# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established; dsize:10<>20; content:"|05 29 00 00 00 05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker.B connection test"; flow:to_server,established; content:"/testcon.php"; http_uri; urilen:15; pcre:"/\/[a-z]{2}\/testcon.php$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C4A95554B77A8551C7B2EAF49CE4B1DF7E786FAD8DD5C04E6CA6635068B23328/analysis/; classtype:trojan-activity; sid:29376; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Agent.ADJI variant outbound connection"; flow:to_server,established; urilen:6<>15; content:"nb0613R0="; depth:9; http_client_body; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a8a38aaa04cf1d44e119701e507c4c07fa5fcb002de458a9e40c8e8338604499/analysis/; classtype:trojan-activity; sid:29370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3308 (msg:"MALWARE-CNC Win.Trojan.Boato variant followup outbound connection"; flow:to_server,established; dsize:76; content:"|00 00 00 00 00 00 00 00 64 00 00 00 00 00 00 00|"; depth:16; content:"|00 00|"; depth:2; offset:72; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop; reference:url,www.virustotal.com/en/file/a8b92328106c38e56954bb57058e866cb35ed5ba17be7177790d14802883080e/analysis/; classtype:trojan-activity; sid:29368; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Boato variant outbound connection"; flow:to_server,established; content:"/tblm/Count.asp?ver="; fast_pattern:only; http_uri; content:"&ProcessNum="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a8b92328106c38e56954bb57058e866cb35ed5ba17be7177790d14802883080e/analysis/; classtype:trojan-activity; sid:29367; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pacbootini variant outbound connection"; flow:to_server,established; content:"|16 03 01 00 86 10 00 00 82 00 80 07 EB 6C 45 A6 57 D6 1B 6A 42 7D 5D 0E 37 30 E3 F8 B1 33 DF F8 EE 02 BC 6E C4 AC 1F 52 1A 4D 7C 06 D2 70 CE 2B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/a5f0dc11235953043a31a7d2bd68c7dd21388a9e927e2a6d2145899e7ee5aa1e/analysis/; classtype:trojan-activity; sid:29363; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chewbacca outbound connection"; flow:to_server,established; urilen:4; dsize:<200; content:"/ip/"; depth:4; fast_pattern; http_uri; content:"Keep-Alive|3A 20|300|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/chewbacca-latest-malware-to-take-a-liking-to-tor/103220; reference:url,www.securelist.com/en/blog/208214185/ChewBacca_a_new_episode_of_Tor_based_Malware; classtype:trojan-activity; sid:29440; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5600 (msg:"MALWARE-CNC Win.Trojan.Icefog variant outbound connection"; flow:to_server,established; dsize:<400; content:"|00 00 75 72|"; depth:4; offset:2; content:"|2A|"; within:1; distance:1; byte_test:2,<,0x190,0,little; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/236e3b7bfc74dbe394fdd854a829000a73ee2ec763ab2825a5e7f168eb58f8e0/analysis/; classtype:trojan-activity; sid:29430; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Zatincel variant outbound connection"; flow:to_server,established; content:"|61 00 7A 00 72 00 61 00 66 00|"; depth:10; fast_pattern; content:"|00 00 00 00 24 00 00 00 00 00 00 00|"; within:12; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/6c861f326d854f9e7ffd052cdb00c170cfa6c214c7a893b3aac3d1ca2ec55f8e/analysis/; classtype:trojan-activity; sid:29428; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6178 (msg:"MALWARE-CNC Win.Trojan.Etomertg variant outbound connection"; flow:to_server,established; content:"|00 00 B0 02 00 00 78 9C|"; depth:20; offset:250; content:"|00 00 00 00|"; depth:4; offset:243; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/bf8540491b204edf944d0e8aaa3f89ce657e523dafddc589570aa9575f9bca8f/analysis/; classtype:trojan-activity; sid:29426; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dldr variant outbound connection"; flow:to_server,established; content:"/board/images/start_car.gif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/04c5d11a96cfac7a47ccba4cdddeb222da848a901d1bce6a15a5fe06c1b17957/analysis/; classtype:trojan-activity; sid:29424; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.MaxerDDos variant connection"; flow:to_server,established; content:"Windows"; depth:7; content:"|BA DA C2 F3 CD F8 C2 E7|DDOS"; fast_pattern:only; content:"&|02|"; metadata:impact_flag red, policy balanced-ips drop; reference:url,www.virustotal.com/en/file/3e8fbaddb13982ed00d2c24b39ebb59f1be5041177e05b9d95da54109d4d5c03/analysis/; classtype:trojan-activity; sid:29423; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rhubot variant outbound connection"; flow:to_server,established; content:"/index.php?bot="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; reference:url,www.virustotal.com/file/9c7bb6910f6af81b01fd9b5a8f278102ff3874afa8abf5e43fd3546fdad8ff28/analysis/; classtype:trojan-activity; sid:29422; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Reedum BlackPoS outbound FTP connection"; flow:to_server,established; content:"USER digitalw"; fast_pattern:only; metadata:impact_flag red, service ftp; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; reference:url,krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf; reference:url,www.virustotal.com/en/file/853FB5A2AAD2E0533E390CFA5B0F3DFE96A054390CACDC8F4BA844BBA20809E4/analysis/; classtype:trojan-activity; sid:29421; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Reedum BlackPoS outbound FTP connection"; flow:to_server,established; content:"PASS Crysis1089"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; reference:url,krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf; reference:url,www.virustotal.com/en/file/853FB5A2AAD2E0533E390CFA5B0F3DFE96A054390CACDC8F4BA844BBA20809E4/analysis/; classtype:trojan-activity; sid:29420; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.vSkimmer outbound connection"; flow:to_server,established; content:"/api/process.php?xy="; http_uri; content:"User-Agent|3A| PCICompliant/3.33"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/; classtype:trojan-activity; sid:29416; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JAVAFOG Java malware backdoor connection to cnc server"; flow:to_server,established; content:"news/latestnews.aspx?title"; http_uri; content:"User-Agent: Java/"; http_header; content:"content"; depth:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0aedfdd0be32eb54ba39716e3bb1be41e662c08a9c0e72d34e6c466309671b31/analysis/; classtype:trojan-activity; sid:29408; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.SniperSpy variant outbound connection"; flow:to_server,established; content:"<SNIPERSPYCONF"; fast_pattern:only; http_client_body; content:"name=|22|pcserverid|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b858c38f510aef652affbad5801b3f4fa3c2c87ccdf7eba80e9f2bd5e754d37a/analysis/; classtype:trojan-activity; sid:29464; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Norekab variant outbound connection"; flow:to_server,established; urilen:8; content:"/log.php"; http_uri; content:"%4F%53%20%4E%61%6D%65%3A%20%4D%69%63%72%6F%73%6F%66%74"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51401f8da6d82d6e751aa3c7a364b6a9573c5449f8535dbae4be4dd86cfec3f7/analysis/; classtype:trojan-activity; sid:29461; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC Win.Trojan.Pabueri variant outbound connection"; flow:to_server,established; content:"|93 AA 00 8A 1B 4F 47 C0 93 AA 00 8A 1B 4F 47 C0 93 AA 00 8A 1B 4F 47 C0 93 AA 00 8A 1B 4F 47 C0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/982a97a14b3831014c54c8486469a5a2f81cbcd6c5e63eb17d5e1ddb7c261b1d/analysis/; classtype:trojan-activity; sid:29460; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Fexel variant outbound connection"; flow:to_server,established; content:"|0A|Agtid|3A 20|"; content:"08x|0D 0A|"; within:5; distance:8; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f638733e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity; sid:29459; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; urilen:7; content:"/cs0719"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2e94dc0cdf6023e5532d594dd00fe42c362245317b5182dbb9b9218a6e8928c9/analysis/; classtype:trojan-activity; sid:29497; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Bicololo variant outbound connection"; flow:to_server,established; urilen:11; content:"/h/gate.php"; fast_pattern:only; http_uri; content:"tomail="; depth:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3666e3f24df53d683be78a57d69076e12d6a3fd65a07565823e729206d883b5/analysis/; classtype:trojan-activity; sid:29496; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Kopdel variant outbound connection"; flow:to_server,established; urilen:12; content:"/_update.php"; fast_pattern:only; http_uri; content:"g="; depth:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ed697a320665204f7d0393252545f40656e46e11a02808676781eb8ca5a135ad/analysis/; classtype:trojan-activity; sid:29495; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3301 (msg:"MALWARE-CNC Linux.Backdoor.Tsunami outbound connection"; flow:to_server,established; content:"mining.authorize"; depth:16; offset:21; content:"bitcoin4ever."; within:13; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29494; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Backdoor.Tsunami outbound connection"; flow:to_server,established; content:"POST"; depth:4; content:"/dogepool.php"; within:13; distance:1; fast_pattern; content:"User-Agent: Wget"; content:!"Referer:"; content:!"Accept-Encoding:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29493; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gaertob variant outbound connection"; flow:to_server,established; content:"g_jbez.cuc?do="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/868949f9d10391687c0ba07fa25fa1c59eb475f1d40103ca008682cb6ce2a0ba/analysis/; classtype:trojan-activity; sid:29489; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.POSCardStealer variant outbound connection"; flow:to_server,established; urilen:10<>20; content:"POST"; http_method; content:".php"; nocase; http_uri; content:!"User-Agent"; http_header; content:"|25|5BEOF|25|5D|25|0D|25|0A"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/219c8c96973e2f95693468196ae3c11bd323081149ad7bae73d07e26cbcf2700/analysis/; classtype:trojan-activity; sid:29484; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Botime variant connection"; flow:to_server,established; content:"|00|MotoS"; fast_pattern:only; content:"MotoS"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a617bb9d083eef1524bd32626c021a3318fc54f9b00f08a656424427e83fe790/analysis/; classtype:trojan-activity; sid:29483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established; content:"JOIN|20|#vnc|0A|"; depth:10; content:"PRIVMSG|20|#vnc|20 3A|"; within:14; content:"status checking program online"; within:30; distance:7; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; classtype:trojan-activity; sid:29569; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:established,to_server; content:"/therealslim/modules/config.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4b25b3ff876a8df2f6179f26d3c5996ecaa1348cc6003a38ef51e7adec5d2aa0/analysis/; classtype:trojan-activity; sid:29566; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 60005 (msg:"MALWARE-CNC Win.Trojan.Banker.AALV variant outbound connection"; flow:to_server,established; content:"CHEGOU-NOIS|7C|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/398f36f011199c4452fcc1543c6191b9a58937427f8b7af7e7ad221cba634ea6/analysis/; classtype:trojan-activity; sid:29565; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80:81 (msg:"MALWARE-CNC Win.Trojan.Blobrsa variant outbound connection"; flow:to_server,established; content:"GET /index.aspx?info="; depth:21; content:"3a5c"; within:4; distance:2; content:!"User-Agent|3A|"; content:!"Accept|3A|"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/99107ea1c4517d37829d445c647696e3dc3616fd41d4999ebb532e8924ded50b/analysis/; classtype:trojan-activity; sid:29563; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80:81 (msg:"MALWARE-CNC Win.Trojan.Blobrsa variant outbound connection"; flow:to_server,established; content:"GET /logo32.png HTTP/1.1|0D 0A|"; depth:26; content:!"User-Agent|3A|"; content:!"Accept|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/99107ea1c4517d37829d445c647696e3dc3616fd41d4999ebb532e8924ded50b/analysis/; classtype:trojan-activity; sid:29562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Lechiket variant outbound connection"; flow:to_server,established; content:"/srv.php?&id="; depth:13; http_uri; content:"&mark="; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8be38b72da4e4d8ed43107b36c26bd27a25c78124a528e973f38996f490b0774/analysis/; classtype:trojan-activity; sid:29561; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27977 (msg:"MALWARE-CNC Win.Trojan.Sydigu variant outbound connection"; flow:to_server,established; content:"|00 10 10 0F 0C|"; depth:8; offset:3; content:"|64 64|"; within:2; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/df3112a235a6afab9e523b87229fcbdaa1d846a3ef92c5ed1611aa0ad7369214/analysis/; classtype:trojan-activity; sid:29559; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Marten variant outbound connection"; flow:to_server,established; content:"cdkey=System:Microsoft"; depth:22; http_client_body; content:"/index/opening.asp"; depth:18; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/787d96435cfbf824ec96ed21fd06c691725723bde4fd0f7e5140a7027b5b38d8/analysis/; classtype:trojan-activity; sid:29557; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Loxes variant outbound connection"; flow:to_server,established; content:"GET|20|/MTAyOTM4NDctNS02"; depth:22; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0b5e8f5f5ff913c7a33f435af3f01eed23c51104c4721fe2d1cdf3d7d8e13ca/analysis/; classtype:trojan-activity; sid:29556; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Spyex variant outbound connection"; flow:to_server,established; content:"|0A|Subject: SpyEx Report"; fast_pattern:only; content:"@Victim.com|0D 0A|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/f6f444491b02ab7abad39368879b8f29c1bb2adadf51033394dacc6194918b7f/analysis/; classtype:trojan-activity; sid:29555; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Doneste variant outbound connection"; flow:to_server,established; content:"/bot/login.php?"; depth:15; http_uri; content:"serial="; http_uri; content:"name="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/19531bb128bdb622530fd2503543e29e184941521bc47e946e070228f923d7ea/analysis/; classtype:trojan-activity; sid:29550; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2352 (msg:"MALWARE-CNC Win.Trojan.Sarvdap variant outbound connection"; flow:to_server,established; content:"|3C|msg from=|27|"; depth:11; content:"|27| to=|27|"; within:6; distance:36; content:"|3E|ON LINE|3A|ts="; within:50; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/5334dfa5255a1b6447faab0dad6571af205d5fd5be8af07f17c6d7343639c1c9/analysis/; classtype:trojan-activity; sid:29740; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Caphaw outbound connection"; flow:to_server,established; content:"Accept-Language: en-US|3B|q=0.2,en"; fast_pattern:only; content:"POST /index.php"; content:"z|3D|"; distance:200; isdataat:700,relative; pcre:"/z\x3D[A-Z0-9%]{700}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/45307e675e133d91dda6e3e34fb472f9a68b6bd179db5b9525b1513e02ce1faa/analysis/; classtype:trojan-activity; sid:29670; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection"; flow:to_server,established; urilen:20; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:29666; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"&bolausado"; fast_pattern:only; http_client_body; content:"rotina="; depth:7; http_client_body; content:"&casa="; distance:0; http_client_body; content:"&idcliente"; distance:0; http_client_body; content:"&outro="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:29665; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"/debug/Version/"; depth:15; http_uri; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1546/6325/0/html#network; reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dampt variant outbound connection"; flow:to_server,established; urilen:31<>43; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept|3A|"; http_header; content:".jsp?"; depth:12; offset:4; http_uri; content:"="; within:1; distance:2; http_uri; pcre:"/^\/(process|page|default|index|user|parse|about|security|query|login)\.jsp\x3f[a-z]{2}=[a-z]{6}[0-9A-F]{12,20}/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3ecfc43c7a82d30243e2bdfdb0254a5178f0390ecd864ef6f44398432acb4b2a/analysis/; classtype:trojan-activity; sid:29663; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sdconsent outbound connection"; flow:to_server,established; content:"tttt|3D 40 40 40 40 40 40 40|"; fast_pattern:only; http_uri; urilen:>1000; content:"ffff|3D|"; http_uri; content:"nnnn|3D|"; within:5; distance:33; http_uri; content:"ssss|3D|"; within:48; distance:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0158; reference:url,www.virustotal.com/en/file/1dbe5bd93cc6ca202b69a02a028e1743f34fbcdaab2c84e5e0e3010dcc2bfafb/analysis/; classtype:trojan-activity; sid:29644; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Lumbko variant initial outbound connection"; flow:to_server,established; urilen:15; content:"/L10Apps/ra.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/de94a75eeb351a5f9f010ed4e7bbefffcde3ea51ec1dd84a3a87fc58d73c553e/analysis/; classtype:trojan-activity; sid:29638; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Lumbko variant outbound connection"; flow:to_server,established; content:"texto="; depth:6; fast_pattern; http_client_body; content:"/img/"; depth:5; http_uri; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/de94a75eeb351a5f9f010ed4e7bbefffcde3ea51ec1dd84a3a87fc58d73c553e/analysis/; classtype:trojan-activity; sid:29637; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,8080,443] (msg:"MALWARE-CNC Win.Trojan.Blocker.cbuf variant outbound connection"; flow:to_server,established; content:"|64 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; offset:8; content:"|00 00 00 00 00 00|"; depth:6; offset:229; stream_size:client,<,1776; stream_size:client,>,1263; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/1fdd456168f9e961e841f6c36991172743bafad462e9151524bfb4164090045f/analysis/; classtype:trojan-activity; sid:29636; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Nursteal variant outbound connection"; flow:to_server,established; urilen:13; content:"Referer|3A| http|3A 2F 2F|www.naver.com|0D 0A|Content-Type|3A| application/x-www-form-urlencoded"; fast_pattern:only; http_header; content:"/help/api.php"; http_uri; content:"a1="; depth:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7e41e5a1943a1457a52405c18fda70cbb082eb735b4b41811ac3079ec4b0807d/analysis/; classtype:trojan-activity; sid:29635; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/ag/plugin.crx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto outbound connection"; flow:to_server,established; content:"Group|3D|"; http_uri; content:"Install|3D|"; http_uri; content:"Ver|3D|"; http_uri; content:"Ask|3D|"; http_uri; content:"Bn|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29788; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; urilen:10; content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29817; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; content:"/post"; http_uri; content:"User-Agent: something"; fast_pattern:only; http_header; content:"mac="; http_client_body; content:"&t1="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29816; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection"; flow:to_server,established; content:"/get/?ver="; depth:10; http_uri; content:"&aid="; distance:0; http_uri; content:"&hid="; distance:0; http_uri; content:"&rid="; distance:0; http_uri; content:"&data="; distance:0; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29828; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 888 (msg:"MALWARE-CNC Win.Trojan.Comowba variant outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent|3A| User-Agent="; fast_pattern:only; content:"|0D 0A|Accept-Charset|3A| Accept-Charset="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B3F0C670600DFF5C889943948B5D1DBC5F07105D08086EE0F33161132FFEB2F7/analysis/; classtype:trojan-activity; sid:29901; rev:1;)
alert tcp $HOME_NET any -> any 6000 (msg:"MALWARE-CNC Win.Trojan.Pmkype variant outbound connection"; flow:to_server,established; content:"POST /cgi-bin/save_user HTTP/1."; depth:31; fast_pattern; content:"|3A|6000|0D 0A|"; distance:0; content:!"Accept|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7DF31F40196E1E22A54EA11F38EB6DC525D7B3781C72A1630E233E48F6F76F93/analysis/; classtype:trojan-activity; sid:29899; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Zygtab variant outbound connection"; flow:to_server,established; content:"X-Mailer|3A| The Bat! |28|v3.02|29| Professional"; fast_pattern:only; content:"From|3A| JP "; file_data; content:"Windows IP Configuration|0D 0D|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/3c05c27dab04389cd43fd7cc9214f65bfe1d1ba20310c6ff413355eddfbff728/analysis/; classtype:trojan-activity; sid:29898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/prl/el.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e00541759eb18a31f959da521a9/analysis/; reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Pyteconte variant outbound connection"; flow:to_server,established; content:"Authorization|3A| Q0tBZG1pbg==|0D 0A|"; fast_pattern:only; http_header; content:"|3A|8080|0D 0A|"; http_header; content:!"Accept|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B18C100ED8D45A2B4D90EBA0C6DCFCCA644EAD4D80058A344F7FC757B880FEA1/analysis/; classtype:trojan-activity; sid:29893; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypi.A outbound keylogger traffic"; flow:to_server,established; content:"/key2/gate.php?name="; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b30ffc4f376cf49c8e1c70d51ced17b8b1e54a6425c263279e2c0c34d06156ce/analysis/; classtype:trojan-activity; sid:29886; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypi.A outbound information disclosure"; flow:to_server,established; content:"/key2/gate.php?q=online&"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b30ffc4f376cf49c8e1c70d51ced17b8b1e54a6425c263279e2c0c34d06156ce/analysis/; classtype:trojan-activity; sid:29885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29884; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Tohwen variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B|Windows NT 5.1)"; fast_pattern:only; http_header; content:"|CF CF|"; depth:2; http_client_body; content:"|FF FF D0|"; within:40; distance:8; http_client_body; content:"|D0 DA|"; within:2; distance:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/24c98927c58a13651eda9ff40afd2fb43ddff40998d0386f51a3f35d34760f9a/analysis/; classtype:trojan-activity; sid:29883; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection"; flow:to_server,established; content:"/gateway.php"; nocase; http_uri; content:"page=JyBBTkQgMT0yIFVOSU9OIEFMTCBTRUxFQ"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:29881; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection"; flow:to_server,established; content:"/gateway.php"; nocase; http_uri; content:"VU5JT04gQUxMIFNFTEVD"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:29880; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection"; flow:to_server,established; content:"/gateway.php"; nocase; http_uri; content:"TklPTiBBTEwgU0VMRUNU"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:29879; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter CasinoLoader SQL injection"; flow:to_server,established; content:"/gateway.php"; nocase; http_uri; content:"SU9OIEFMTCBTRUxFQ1QK"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:29878; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 59870 (msg:"MALWARE-CNC Win.Trojan.Chikdos.A outbound information disclosure"; flow:to_server,established; content:"|10 27 60 EA|"; fast_pattern:only; content:"Windows|20|"; byte_test:1, =, 0, 400; metadata:impact_flag red, policy security-ips drop; reference:url,virustotal.com/en/file/c2a0e9f8e880ac22098d550a74940b1d81bc9fda06cebcf67f74782e55e9d9cc/analysis; classtype:trojan-activity; sid:29877; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Hanove variant outbound connection"; flow:to_server,established; content:"[ClipBoard Data|3A|"; fast_pattern:only; http_client_body; content:"Windows Title"; http_client_body; content:"Session Starts"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7214be3b955cdd6ce1a8bb12c6f0a257531e440dd9687b9500a7b039464fff75/analysis/; classtype:trojan-activity; sid:29873; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pony HTTP response connection"; flow:to_client,established; content:"Content-Length: 16"; http_header; file_data; content:"STATUS-IMPORT-OK"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1830/6840/0/html; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29870; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Napolar phishing attack"; flow:to_client,established; content:"facebook.com.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: "; fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; urilen:33; content:"/read/swf/searchProductResult.jsp"; fast_pattern:only; http_uri; content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core="; distance:0; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D 0A|"; fast_pattern:only; http_header; file_data; content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Brabat variant outbound connection"; flow:to_server,established; content:"&idmaq=DQohIFJFRy5FWEUgVkVSU0lP"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c1fb2f577f3ae9697eb3c52a930c9f7eed293ffcf3745d1b64cc7932873bc19f/analysis/; classtype:trojan-activity; sid:29861; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6900 (msg:"MALWARE-CNC Win.Trojan.Verxbot variant outbound connection"; flow:to_server,established; content:"JOIN ##!vrx getsome|0D|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ircd; reference:url,www.virustotal.com/en/file/7f7b198442fd5d93cc2fb49e6f02cf91d861cbe24ce6e4e6fa423ec91f74ab04/analysis/; classtype:trojan-activity; sid:29925; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Farfli outbound connection"; flow:to_server,established; content:"guid="; depth:5; http_client_body; content:"|26|state="; distance:32; fast_pattern; http_client_body; pcre:"/^guid=[a-f0-9]{32}\x26state=(LOST|WORK|WAIT|RUN)/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6c419f925d00a076fe448d04652cf2f573acdaf523b53b3ef64b427eae11be5d/analysis/; classtype:trojan-activity; sid:29924; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Bazuc jobs check outbound connection"; flow:established,to_server; content:"/jobs?reg_key|3D|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a9296f8f5469b9015e49e45b7ea9ffa7b4871b3e9efd37bf4dd192bbf07b87ca/analysis/; classtype:trojan-activity; sid:29923; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Bazuc initial outbound connection"; flow:established,to_server; content:"/user_limit?reg_key|3D|"; fast_pattern:only; http_uri; content:"dayLimit|3D|"; http_uri; content:"monthLimit|3D|"; http_uri; content:"paypal|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a9296f8f5469b9015e49e45b7ea9ffa7b4871b3e9efd37bf4dd192bbf07b87ca/analysis/; classtype:trojan-activity; sid:29922; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.ZhiZhu variant inbound connection"; flow:to_client,established; file_data; content:"B9273C17"; content:"B6A74634"; within:60; distance:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ff96d09e3fe618a296dc5b4425224831dbb49877be054276da5baefcc52e0f53/analysis/; classtype:trojan-activity; sid:29921; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"MALWARE-CNC Win.Trojan.ZhiZhu variant outbound connection"; flow:to_server,established; content:"|D8 D8 D8 D8 37 27 27 26|"; depth:8; fast_pattern; content:"|27 27 27 27 27 27 27 27|"; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/ff96d09e3fe618a296dc5b4425224831dbb49877be054276da5baefcc52e0f53/analysis/; classtype:trojan-activity; sid:29920; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsnu system information disclosure"; flow:to_server,established; content:"/signup.php?text="; depth:17; http_uri; content:"img_url=http:/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0183bce3002fc078d7d31245157820943d61f511b62b34b5ec6d0e830df5cc37/analysis/; classtype:trojan-activity; sid:29916; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Zmcwinsvc outbound system information disclosure"; flow:to_server,established; content:"WINSVC"; depth:6; content:"|00 00|"; within:2; distance:2; content:"|00 00|"; within:2; distance:2; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/bfe4e0db9d719bcda09242be9a2c86200413b1be497182a9e14b5524ad6b48fd/analysis/; classtype:trojan-activity; sid:29914; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nortusa variant outbound system information disclosure"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|0D 0A|"; fast_pattern:only; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/ae294e6667384b919547e24fef76e9564f672f19ee7e3e846a6c8931f1fbef4c/analysis/; classtype:trojan-activity; sid:29911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Madnedos outbound system information disclosure"; flow:to_server,established; content:"mk=0fe9bd&os=Win"; fast_pattern:only; http_uri; content:"&c="; offset:11; http_uri; content:"&rq="; within:4; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f404fc0f7ca32b2927066b8002a2e847c9f21c9d5b0d01c484e9e20600c8e88d/analysis/; classtype:trojan-activity; sid:29907; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"MALWARE-CNC Win.Trojan.Meac malware component download request"; flow:to_server,established; content:"|14 00 00 00 00 00 00 00 00 00|"; depth:10; metadata:impact_flag red, policy security-ips drop; reference:url,virustotal.com/en/file/73925ed709ff4891315a7ac7910666e3d3d46d34b4719f6102b45e3eea5a35bd/analysis/; classtype:trojan-activity; sid:29987; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Bicolo variant outbound connection"; flow:to_server,established; content:"/images/srvr/partner/send.php"; fast_pattern:only; http_uri; content:"cparam=S0"; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A17E1A26FF8540BF0911D09132B710A8707225A9E70DB57A41367B26BB2DA86A/analysis/; classtype:trojan-activity; sid:29985; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Oshidor variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; fast_pattern:only; http_header; content:"/add/note.php"; http_uri; content:"password="; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A4FEF3EF3D549DD81293B6C329E2D6BC62C4960E9627CCEBEDA248D720AD03E3/analysis/; classtype:trojan-activity; sid:29982; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tiny variant outbound connection"; flow:to_server,established; content:"/ie-error.gif?action=utility"; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&error="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity; sid:29981; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fucom outbound connection"; flow:to_server,established; content:"USER a2526388|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/0d5f89f57f72b7ca0fa77db5ef17461104c2d5e002541fee27d9886e8acb00f2/analysis/; classtype:trojan-activity; sid:29980; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ANDR.Trojan.FakeApp outbound connection"; flow:established, to_server; content:"/cp/server.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=Aab03x"; http_header; content:"User-Agent: Dalvik"; http_header; file_data; content:"AaB03x"; content:"name=|22|phone"; distance:0; content:"name=|22|type"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securityaffairs.co/wordpress/22465/cyber-crime/banking-trojan-hit-islamic-mobile.html; reference:url,www.virustotal.com/file/66911EE32FC4777BB9272F9BE9EB8970B39440768B612FBAB4AC01D8E23F9AA1/analysis/; classtype:trojan-activity; sid:29978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Svekifc outbound persistent connection"; flow:to_server,established; content:"yUkEr|0E 00 00 00 01 00 00 00 2B|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/c90753b22c4b1ea77c9494dfcec4d9b8414c4d1c3e3e2dbaeead0fde3cefabae/analysis/; classtype:trojan-activity; sid:29976; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Svekifc system information disclosure"; flow:to_server,established; content:"yUkEr|6D 01 00 00 60 01 00 00 2C 00 00 00 9C 00 00 00|"; depth:21; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/c90753b22c4b1ea77c9494dfcec4d9b8414c4d1c3e3e2dbaeead0fde3cefabae/analysis/; classtype:trojan-activity; sid:29975; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bublik.Zusy runtime detection"; flow:to_server,established; content:"POST"; http_method; content:"/nwi/tim.php"; fast_pattern:only; http_uri; isdataat:500; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0b9c1126c5bdd4164eee843bbd5df3e5b5f79ec3945f04d0276b96f309739185/analysis/; classtype:trojan-activity; sid:29973; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Horsum outbound system information disclosure"; flow:to_server,established; content:"B4F61B4D28BF7DEDA04FA23E1BFA21C8"; depth:32; metadata:impact_flag red, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/6c81871574fb54479e0920ee239f2bec9b636d64991cff66e674885ac1630513/analysis/; classtype:trojan-activity; sid:29998; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stealzilla variant outbound connection"; flow:to_server,established; content:"/index.php?record=ZnRwOi8v"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b9a12f9b6827144d84e65ef2ba454d77cb423c5e136f44bc8d3163d93b97f11f/analysis/; classtype:trojan-activity; sid:30076; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nemim variant outbound connection"; flow:to_server,established; content:"/html/docu.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"|3B|"; depth:20; http_client_body; pcre:"/^[^\s]*\x0D\x0A$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/862d87f5962cb578f3b1b63ef09b27c649698f1a9d8190da9935f14a06dfacd2/analysis/; classtype:trojan-activity; sid:30074; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; urilen:43,norm; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|3B| rv|3A|25.0|29| Gecko/20100101 Firefox/25.0|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2f[0-9A-F]{42}$/Um"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/463a9312a12b752aeea35dbcd9b8bec80f073a9d94e4696c7909d24f66cd94af/analysis/; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:30073; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/and/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/Pi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; urilen:9; content:"Content-Length|3A 20|2187|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b8ae0f5bc38fbeb8a13d51f765efac26c5c60b995aa899760e36088d575f9a10/analysis/; classtype:trojan-activity; sid:30064; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; urilen:9; content:"Content-Length|3A 20|412|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b8ae0f5bc38fbeb8a13d51f765efac26c5c60b995aa899760e36088d575f9a10/analysis/; classtype:trojan-activity; sid:30063; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Tyleny variant outbound connection"; flow:to_server,established; content:"/k.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"User-Agent"; http_header; content:"|49|"; depth:2; http_client_body; content:"|31|"; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/31aa9909ff4ff597a6cef4b03af6339d54a5f0be1b87fef059897337baa8afab/analysis/; classtype:trojan-activity; sid:30061; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Coresh outbound identification request"; flow:to_server,established; content:"/webhp?rel="; http_uri; content:"hl="; within:3; distance:4; http_uri; content:"ai="; within:3; distance:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5f6b2a0d1d966fc4f1ed292b46240767f4acb06c13512b0061b434ae2a692fa1/analysis/; classtype:trojan-activity; sid:30060; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Bogoclak outbound FTP connection information disclosure"; flow:to_server,established; content:"CWD /troj/|0D 0A|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aMSIL%2fBogoclak.A; reference:url,virustotal.com/en/file/d422075cf99d4fc146242d3906c428af8379a1322ab94146d3d1cfba83a9da1c/analysis/; classtype:trojan-activity; sid:30058; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8608 (msg:"MALWARE-CNC Win.Trojan.Peronspy outbound system information disclosure"; flow:to_server,established; content:"Y21kfA==|0D 0A|"; depth:10; metadata:impact_flag red; reference:url,virustotal.com/en/file/4f594638a45507a2f5b29e165e2bbd5ea53e80fbec29d9d8cfb1b22bff3bb83a/analysis/; classtype:trojan-activity; sid:30057; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Deventiz CWD system information disclosure via FTP"; flow:to_server,established; content:"CWD /stealer|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp; reference:url,virustotal.com/en/file/f4f494b4e7cdad6a910470998eb52c501e94173d89e343ec28fa24124c8d8eb4/analysis/; classtype:trojan-activity; sid:30055; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Crowti variant outbound connection"; flow:to_server,established; urilen:10<>15; content:"Content-Length: 92|0D|"; fast_pattern:only; http_header; content:"Connection: Close|0D|"; http_header; content:"="; depth:1; offset:1; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2B0D6128A70F253D64E71988D7EEE2534247A4617DF2D1D283530AF372A0AAC3/analysis/; classtype:trojan-activity; sid:30047; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zaleelq variant outbound connection"; flow:to_server,established; content:"/update.php?id="; fast_pattern:only; http_uri; content:"GET"; http_method; content:"User-Agent: Mozzila Firefox 17"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/en/file/85dc534bf805caa2bae5b59a1f874c2d527da15a793510c3cd0e71726bee2d90/analysis/; classtype:trojan-activity; sid:30037; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ovnavart variant outbound connection"; flow:to_server,established; content:"PH5.0 W20130912"; fast_pattern:only; http_header; content:"GET"; http_method; pcre:"/User-Agent\x3a\sMSIE.*\x3b\sNT.*\x3b\sAV.*\x3b\sOV.*\x3b\sNA.*VR\x28PH5.0\sW20130912/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/004b350e8514ad663cad7620babe6290097c1d1f3649377251fadebec041b5cd/analysis/; reference:url,www.virustotal.com/en/file/64745e0c2ea2719dd5b5dd240274316ae357134f2ff06d5b8f796975934b360f/analysis/; reference:url,www.virustotal.com/en/file/9637a23ff5c0e4a6a93f763f1f1cfba84fe07d87c8e8fbfff4c82fa00a50d166/analysis/; classtype:trojan-activity; sid:30036; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sylonif variant outbound connection"; flow:to_server,established; content:"|0D 0A|Logfile of SystemInfoLOG|0D 0A|"; fast_pattern:only; content:"|0A|OSADD"; depth:208; content:"Windows"; within:20; content:"|0A|UNAME"; within:175; content:"|0A|USADD"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/696cb4497abca6bea19bc96ced5fe21734cddc9ebd01a330e0a8d4d87060bf60/analysis/; classtype:trojan-activity; sid:30035; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8850 (msg:"MALWARE-CNC Win.Trojan.Donanbot outbound connection"; flow:to_server,established; content:"FY15|3A|"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/289ac94ab1b4c2d2d26ff4e5b2754baa403ef93cd74863efd44bf0336a181a4d/analysis/; classtype:trojan-activity; sid:30034; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [137,139,445] (msg:"MALWARE-CNC Win.Trojan.Reedum BlackPoS stolen data transfer to internal staging area"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5C 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5C 00|"; distance:0; nocase; content:"|2E 00|t|00|x|00|t"; within:100; nocase; metadata:impact_flag red, service netbios-ssn; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; reference:url,krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf; reference:url,www.virustotal.com/en/file/853FB5A2AAD2E0533E390CFA5B0F3DFE96A054390CACDC8F4BA844BBA20809E4/analysis/; classtype:trojan-activity; sid:30099; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Reedum BlackPoS outbound FTP file timestamp"; flow:to_server,established; content:"PUT"; nocase; content:"data_"; distance:0; nocase; pcre:"/data_[\d]{4}_([\d]{2}_){3}[\d]{2}.txt/"; metadata:impact_flag red, service ftp; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; reference:url,krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf; reference:url,www.virustotal.com/en/file/853FB5A2AAD2E0533E390CFA5B0F3DFE96A054390CACDC8F4BA844BBA20809E4/analysis/; classtype:trojan-activity; sid:30098; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:13; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/2306/8066/0/html#network; reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Nitol variant outbound connection"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|00 00|Windows|20|"; depth:10; offset:66; isdataat:!1028,rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/25bad070a371b52204f6f16350b57968455028b1d59c9d255d521720b218afc0/analysis/; classtype:trojan-activity; sid:30090; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3900 (msg:"MALWARE-CNC Win.Trojan.Hupigon variant outbound connection"; flow:to_server,established; content:"PEdSPtTaz9/W97v6PC9HUj"; depth:22; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/afea82e15b9e95641fc9736bf2a93363a7a3544ecd086e553653c42c1802e02d/analysis/; classtype:trojan-activity; sid:30088; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamut configuration download"; flow:to_server,established; content:"|26|file=SenderClient.conf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30087; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Momibot outbound system information disclosure"; flow:to_server,established; content:"/v3/index.php"; depth:13; http_uri; content:"byE8PCdtbzE6PTU8czo3"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMomibot.gen!B; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=BKDR_MOMIBOT.H; reference:url,virustotal.com/en/file/be042bca62bf0ca496a774557af944442b6f0616adf5e60b3ab2e208370a972b/analysis/; classtype:trojan-activity; sid:30078; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Uroburos inbound encrypted data"; flow:to_client,established; file_data; content:"1dM3uu4j7Fw4sjnb"; depth:80; offset:64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bf1cfc65b78f5222d35dc3bd2f0a87c9798bce5a48348649dd271ce395656341/analysis/; classtype:trojan-activity; sid:30193; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Uroburos inbound command"; flow:to_client,established; file_data; content:"Finish |0D 0A|"; depth:9; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bf1cfc65b78f5222d35dc3bd2f0a87c9798bce5a48348649dd271ce395656341/analysis/; classtype:trojan-activity; sid:30192; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uroburos usermode-centric client request"; flow:to_server,established; content:"/1/6b-558694705129b01c0"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive|0D 0A|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30191; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Russian Bank scam malware POST to server"; flow:to_server,established; urilen:>100; content:"/hZXMGZLPi"; depth:10; http_uri; content:".shtml"; http_uri; content:"akamai-technologies.org"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30168; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Russian Bank scam malware GET request to server"; flow:to_server,established; urilen:>100; content:"/KJcYrKuK/"; depth:10; http_uri; content:".shtml"; http_uri; content:"akamai-technologies.org"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30167; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ShadyRAT variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"Expect|3A| 100-continue|0D 0A|"; http_header; content:"crypt="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1032c4a9ab4516830724cfd7bc9b2a0170f7ea0b071f357cc8933a91eebfc781/analysis/; reference:url,www.virustotal.com/en/file/99d7667bf36218afe42e26de15224f8185f1357e677dc974e13055f4ad806b89/analysis/; classtype:trojan-activity; sid:30216; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Sharik variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Accept-Language: en,en-US|3B|q=0.9,en|3B|q=0.8"; fast_pattern:only; http_header; pcre:"/^([0-2]\d\d){75}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/474c1a0a0f99b1f42391d179d7a0ad8f9de96c45a8a50e2eca07e72185462742/analysis/; classtype:trojan-activity; sid:30214; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.ZeusVM embedded image config file download"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|FF FE 3F 10 00 00|"; fast_pattern:only; pcre:"/\xFF\xFE\x3F\x10\x00\x00.{14}[\x2Bx\x2Fa-z0-9]{20}/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C003CA9C9694489F202E5A77FBD4973ADF7286C414EB98D525A8BFBC582D8962/analysis/; classtype:trojan-activity; sid:30211; rev:1;)
alert tcp $HOME_NET [128] -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nakcos variant outbound connection"; flow:to_client,established; content:"|01 06 77 42|"; depth:4; fast_pattern; content:"|00 00 00|"; within:3; distance:1; content:"___"; distance:0; content:"|29 20 00 00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/1795567d0f16d0b512f640e3a9a46baf01bbcc7f205b6bc6175f91d17bc90fa7/analysis/; classtype:trojan-activity; sid:30208; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:established,to_server; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; within:3; distance:2; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/report.php?id=1903372; reference:url,urlquery.net/report.php?id=5050751; classtype:trojan-activity; sid:30204; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:established,to_server; content:"/hello/"; depth:7; http_uri; content:"/"; within:3; distance:2; http_uri; content:"/"; within:3; distance:2; http_uri; pcre:"/^\/hello\/[0-9]\.[0-9]\/[0-9]{3}\/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/report.php?id=1903372; reference:url,urlquery.net/report.php?id=5050751; classtype:trojan-activity; sid:30203; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".xpg.com.br|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9d55fbb2e42fd640fee1eac/analysis/; classtype:trojan-activity; sid:30198; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"/tmp/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:!"Accept"; http_header; pcre:"/^[a-z\d\x2b\x2f\x3d]{48,256}$/iP"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c676db3798b733851a6b37ef6b0bc5f3be/analysis; classtype:trojan-activity; sid:30196; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| pt-BR|3B| rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|"; fast_pattern:only; content:"|0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; http_header; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:30234; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE-CNC Win.Trojan.Eybog variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A 40 24|"; fast_pattern; isdataat:70,relative; content:"GET|20|"; depth:4; content:!"Accept|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/C84FC7BEF4E77E1F913A4BE1A7114D255459F9D808FCC09B0F441E3761E5E4A4/analysis/; classtype:trojan-activity; sid:30231; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mumawow outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|logogo.exe"; fast_pattern:only; http_header; content:"/count/count.asp?"; nocase; http_uri; content:"mac|3D|"; within:4; nocase; http_uri; content:"|26|ver|3D|"; within:22; nocase; http_uri; content:"|26|user|3D|"; distance:0; nocase; http_uri; content:"|26|md5|3D|"; distance:0; nocase; http_uri; content:"|26|pc|3D|"; within:36; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4ff9e2e2d117218782835aaa527b2fc040d8e963d3691058161f47c77c391696/analysis/; classtype:trojan-activity; sid:30251; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Name variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/gate.php?act="; fast_pattern:only; http_uri; content:"id="; http_uri; content:"pwd="; http_uri; content:"t="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/95c22884d7f9990e16ffc7be3be712e71355ebb693f4d274ada6d9b46348cdfa/analysis/; classtype:trojan-activity; sid:30239; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qadars variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"=qgAAAAgA"; fast_pattern:only; http_client_body; content:"=qgAAAAgA"; depth:9; offset:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c0eccfae17a86b7f95404df67bcc94d97059179209342cd78209e32ab43c2d14/analysis/; classtype:trojan-activity; sid:30235; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sloth variant command and control traffic"; flow:to_client,established; file_data; content:">SC<|20|eF8"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/; classtype:trojan-activity; sid:30279; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sloth variant command and control traffic"; flow:to_client,established; file_data; content:">SC<|20|cnVu"; depth:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/; classtype:trojan-activity; sid:30278; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sloth variant command and control traffic"; flow:to_client,established; file_data; content:">SC<|20|aHR0cDo="; depth:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/; classtype:trojan-activity; sid:30277; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sloth variant command and control traffic"; flow:to_client,established; file_data; content:">SC<|20|SHR0cDo="; depth:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f/analysis/; classtype:trojan-activity; sid:30276; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot drop zone file upload"; flow:to_server,established; content:"|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"/admin/1/secure.php"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding|3B 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2EE81DFCB16F6E9D57CBD114BF16E4237572D1356220BC58B74306841A0D0AE4/analysis/; classtype:trojan-activity; sid:30271; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot configuration file download"; flow:to_server,established; content:"|0D 0A|Connection|3A 20|Close|0D 0A|"; http_header; content:"/admin/1/ppptp.jpg"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding|3B 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2EE81DFCB16F6E9D57CBD114BF16E4237572D1356220BC58B74306841A0D0AE4/analysis/; classtype:trojan-activity; sid:30270; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lista"; http_uri; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:".log|22 0D 0A|"; nocase; http_client_body; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; content:"/20"; depth:3; http_uri; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".inf"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:"&iv="; within:4; distance:36; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e14248045e467c6568926cb494/analysis/1386078525/; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968ca41f06b900d703a27064e/analysis/1393266939/; reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 13|0D 0A|"; http_header; file_data; content:"INTERNACIONAL"; depth:13; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30256; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 6|0D 0A|"; http_header; file_data; content:"BRASIL"; depth:6; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30255; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Drawnetz variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| AutoIt|0D 0A|"; fast_pattern:only; http_header; content:"nomepc="; nocase; http_uri; content:"osName="; distance:0; nocase; http_uri; content:"polimo="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5c8c46f6346a63e4280d115feec15a98588a30e4269524f780425d5a8de8c255/analysis/; classtype:trojan-activity; sid:30323; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Backdoor.Comdinter variant outbound connection"; flow:to_server,established; content:"/register.php"; fast_pattern:only; http_uri; urilen:13; content:!"User-Agent|3A|"; http_header; content:"pcname="; depth:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9bdcae2b2390ecc24002be73a90396b4190a720ab4c02c18264bcba45d290dff/analysis/; classtype:trojan-activity; sid:30311; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Backdoor.Comdinter variant outbound connection"; flow:to_server,established; content:"/life.php"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent|3A|"; http_header; content:"regNr="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9bdcae2b2390ecc24002be73a90396b4190a720ab4c02c18264bcba45d290dff/analysis/; classtype:trojan-activity; sid:30310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Noctabor variant outbound connection"; flow:to_server,established; content:"/8edf4bc26f9c526ff846c9068f387dacV2/?update=daily"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a526c0384b384d8fd8e6f905c61b5a77c0b629e2dc9fd3e0b6d25e5cb4ab7460/analysis/; classtype:trojan-activity; sid:30304; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC Win.Trojan.Rajdze variant outbound connection"; flow:to_server,established; content:"ZDJR|3A|Ant-V1.0|7C|"; depth:14; content:"|7C|TXE|00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/1d2f44b3b6ac3bf62a2bfc5199b62cb49c04901f702b9a8924a6a33966deb813/analysis/; classtype:trojan-activity; sid:30302; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Projecthook variant outbound connection"; flow:to_server,established; content:"/rxc.php"; nocase; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.0|3B| SLCC1|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/437ac635677e681970d3a142fd77a08c96a0a884eca1de44d8b5ef1b17d6db30/analysis/; classtype:trojan-activity; sid:30300; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Projecthook variant outbound connection"; flow:to_server,established; content:"/extnotify.php"; nocase; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.0|3B| SLCC1|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/437ac635677e681970d3a142fd77a08c96a0a884eca1de44d8b5ef1b17d6db30/analysis/; classtype:trojan-activity; sid:30299; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Cloudoten variant inbound connection"; flow:to_client,established; dsize:48; content:"|06 07 07 07 23|"; depth:5; content:"|2A|"; within:1; distance:8; content:"|2A|"; within:1; distance:4; content:"|2A|"; within:1; distance:4; content:"|2A|"; within:1; distance:4; content:"|04 07 07 07 40 42 53|"; within:7; distance:12; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/d07588e1f3dae55c052afa280a3d50d6a0c48bc3ce123e0cdeaf457da898d738/analysis/; classtype:trojan-activity; sid:30298; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection"; flow:to_server,established; content:"/stat?"; content:"uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass=bpass"; distance:0; fast_pattern; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; content:"&p="; distance:0; content:"&s="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30288; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Recub variant outbound connection"; flow:to_server,established; content:"/ip.txt"; fast_pattern:only; http_uri; urilen:7; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/def8e7328ee8e240a129c69384a1fec8723041e7d0b859ade734f719a1d30965/analysis/; classtype:trojan-activity; sid:30284; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Calfbot outbound connection"; flow:to_server,established; content:"/b/index.php?id="; fast_pattern:only; http_uri; content:"&sent="; http_uri; content:"&notsent="; distance:0; http_uri; content:"&stat="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30336; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Calfbot variant outbound connection"; flow:to_server,established; urilen:>50; content:"//"; depth:2; http_raw_uri; content:"/b/index.php?id="; fast_pattern:only; http_uri; metadata:impact_flag red, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30335; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProjectHook initial outbound connection"; flow:to_server,established; content:"/panel_pavel.php?uid="; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0|29|"; http_header; content:"OS="; depth:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/639a894dd927d2b397ea30e57fd4380c9eb1157d0c618e4e72b2b5ec498571a6/analysis/; classtype:trojan-activity; sid:30334; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProjectHook information disclosure attempt"; flow:to_server,established; content:"/panel_pavel.php?uid="; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0|29|"; http_header; content:"DATA="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/639a894dd927d2b397ea30e57fd4380c9eb1157d0c618e4e72b2b5ec498571a6/analysis/; classtype:trojan-activity; sid:30333; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProjectHook configuration file download attempt"; flow:to_server,established; content:"/config/config_01.bin"; fast_pattern:only; http_uri; urilen:21; content:"User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0|29|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/639a894dd927d2b397ea30e57fd4380c9eb1157d0c618e4e72b2b5ec498571a6/analysis/; classtype:trojan-activity; sid:30332; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; urilen:485<>520; content:!"/"; offset:1; http_raw_uri; content:!"."; http_uri; content:"%2f"; http_raw_uri; content:"%2b"; http_raw_uri; content:"|20|MSIE|20|"; fast_pattern:only; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30495; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; urilen:1; content:"uCuF4"; depth:5; fast_pattern; http_client_body; isdataat:175,relative; content:"%2b"; nocase; http_client_body; content:"%2f"; nocase; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30494; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; dsize:<20; content:"myversion|7C|"; fast_pattern:only; pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; content:"GET /123456789.functionss"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30483; rev:2;)
alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection"; flow:to_client,established; content:"E|00|N|00|D|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30482; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; content:"php?getcmd="; http_uri; content:"&uid="; distance:1; http_uri; content:"&os="; distance:0; http_uri; content:"&av="; distance:0; http_uri; content:"&serial="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B041F8AD32154A28D8D4BD7CC4BF83EE1D45107C4DAEA63F1D2C2651ADB5014E/analysis/; classtype:trojan-activity; sid:30519; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Systema"; flow:to_server,established; urilen:20; content:"/aviatic/systema.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Minerd"; flow:to_server,established; urilen:>10; content:"/minerd.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/write"; http_uri; content:"Host: default|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html; reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"PREF="; depth:5; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/; reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f205711cdbad3e4b1bde7be2d75/analysis/ reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 (msg:"MALWARE-CNC Linux.Trojan.Elknot outbound connection"; flow:to_server,established; dsize:401; content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Megesat variant outbound connection"; flow:to_server,established; content:"/tconfig1702.php"; fast_pattern:only; http_uri; content:"{ |22|id|22| : |22|"; depth:10; http_client_body; content:"|22|browsers|22| : [ { |22|browser|22| : "; within:29; distance:35; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/75bbeaf9a39032f6020062c27fbcedbfdfc66d91df32cf78032b052715a2ef92/analysis/; classtype:trojan-activity; sid:30560; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uniemv variant outbound connection"; flow:to_server,established; content:"/gate.php?user="; depth:15; http_uri; content:"&id="; within:4; distance:32; http_uri; content:"&type="; distance:0; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d5aac8b90de3dcb014e9c4a7017afe4659efe8e19c36021d23a76d6ed31d2df6/analysis/; classtype:trojan-activity; sid:30559; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehacker outbound connection"; flow:to_server,established; content:"/rat/newconnection.php?username="; fast_pattern:only; http_uri; content:"&country="; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"&priv="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e5fb0a677c208ce3227c12a7dcd03f4f773580d0d5fc85b17f364fa40740ce9c/analysis/; classtype:trojan-activity; sid:30753; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2698 (msg:"MALWARE-CNC Win.Trojan.Tesyong outbound connection"; flow:to_server,established; dsize:<100; content:"|0E 08 44 13 30 30 30 30 30 30|"; fast_pattern:only; content:"|23|Information|23|"; depth:50; offset:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a3f6e64010a14ca7e55231751c6b5889e1df394b16ccda54c67ad69d0915f2d9/analysis/; classtype:trojan-activity; sid:30752; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom variant outbound connection"; flow:to_server,established; content:"|5E 5C B2 F9 52 40|"; depth:6; http_client_body; content:"|7D 5B 6B 3D D1 EE|"; within:6; distance:36; http_client_body; content:"|2E 50 76 E9 67 F1 34 D4 AB 81 76|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal/en/file/bc2de94ce300398d4080172bd4677d7b4bb25039861798e46ab031227e593bd5/analysis/; classtype:trojan-activity; sid:30751; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chabava outbound connection"; flow:to_server,established; content:"/dz/bot.php?id="; fast_pattern:only; http_uri; content:"&compname="; depth:10; offset:27; http_uri; content:"&os="; distance:0; http_uri; content:"&interval=20000&memory="; distance:0; http_uri; content:"&processor="; distance:0; http_uri; content:"&webcam="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/53eb6ee9758449fc674940b306dd4e731fbd1aef73e65baf2dc7463f5d0a82f7/analysis/; classtype:trojan-activity; sid:30743; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Targnik variant outbound connection"; flow:to_server,established; content:"/getip.asp?username="; depth:20; fast_pattern; http_uri; content:"&serverMac="; distance:0; http_uri; content:"&edition=qsb"; within:12; distance:17; http_uri; content:!"User-Agent:"; http_header; content:!"Accept:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,about-threats.trendmicro.com/us/malware/BKDR_ELAN.X; reference:url,virustotal.com/en/file/2f8fd384ddc6ed0b3386b64bc597d6512ab1cd58660fa463393086d61db551bf/analysis/; classtype:trojan-activity; sid:30776; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant download request"; flow:to_server,established; content:"GET"; http_method; content:"|2E|php|3F|la|3D|"; fast_pattern:only; http_uri; pcre:"/\x253D$/Im"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:30773; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tI|7C 7C|ikc("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30812; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9t[`mddkglm("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30811; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tMzzgz("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30810; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tZ}ffafo("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30809; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tJg|7C|caddmz("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30808; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9t]faf{|7C|iddafo&&&"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30807; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tLg|7F|fdgilafo(Nadm&&&"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30806; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tZmnzm{`ml&&&"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30805; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Hulpob outbound connection"; flow:to_server,established; dsize:<80; content:"9tNadm("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/59166c006e978de43c26026e2511a2efdccc1190ac58bfad342c76af5566f96d/analysis/; classtype:trojan-activity; sid:30804; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Oldboot variant outbound connection"; flow:to_server,established; content:"|3F|cardid="; http_uri; content:"|26|net="; distance:0; http_uri; content:"|26|channelid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f0203c4a59f4b9e701276f0021112c65d7b70dd14b8b3f870412a6432d969097/analysis/; classtype:trojan-activity; sid:30815; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Rbrute inbound connection"; flow:to_client,established; dsize:<150; content:"<html>kenji oke</html>"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/eec964dd018ad0c40ff3d7f3a3938350522119122a0cc9711212950fc06b14a0/analysis/; classtype:trojan-activity; sid:30883; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"MALWARE-CNC Win.Trojan.Rbrute inbound connection"; flow:to_server; dsize:4; content:"|BE BA FE CA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/eec964dd018ad0c40ff3d7f3a3938350522119122a0cc9711212950fc06b14a0/analysis/; classtype:trojan-activity; sid:30882; rev:2;)
alert tcp $HOME_NET 9005 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tuhao variant outbound connection"; flow:to_client,established; content:"TUHAOISRIGHT"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/e74df6376e77052620c78ea4ad3f285e1803eaafbcf65a90d3b51f15bfccab7d/analysi; classtype:trojan-activity; sid:30900; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"MALWARE-CNC Win.Backdoor.DarkKomet variant outbound connection"; flow:to_server,established; content:"|7C 0A|"; depth:8; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/903b104c05832da9d88c33613bbbaf20038e78c50657e9deedfd89732c0d8c73/analysis/; classtype:trojan-activity; sid:30897; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"MALWARE-CNC Win.Backdoor.DarkKomet variant outbound connection"; flow:to_server,established; content:"pong|7C|Program Manager###"; depth:23; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/903b104c05832da9d88c33613bbbaf20038e78c50657e9deedfd89732c0d8c73/analysis/; classtype:trojan-activity; sid:30896; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Roopre outbound connection"; flow:to_server,established; content:"Pragma|3A| 1337|0D 0A|"; fast_pattern:only; http_header; content:"R,"; depth:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9a3080c635199ec57405db4945b37176243d82e6da90a2183db37921d7aa5657/analysis/; classtype:trojan-activity; sid:30938; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Hd backdoor outbound secure-connection"; flow:to_server,established,no_stream; content:"|3A 3A 3A 0A|"; depth:4; offset:1; dsize:5; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/7b1566227ed2c8f74c3bae10695e79c0a4a2f570625697d601798d6924ba1fdf/analysis/; reference:url,www.virustotal.com/en/file/b48b90551b289596e89045b621a5746944e5407833830b25592908ac38eec8f7/analysis/; classtype:trojan-activity; sid:30926; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Hd backdoor outbound connection"; flow:to_server,established; content:"-> HD Password:"; content:"-> Welcome and have fun! :)"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/7b1566227ed2c8f74c3bae10695e79c0a4a2f570625697d601798d6924ba1fdf/analysis/; reference:url,www.virustotal.com/en/file/b48b90551b289596e89045b621a5746944e5407833830b25592908ac38eec8f7/analysis/; classtype:trojan-activity; sid:30925; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Hd backdoor inbound connection"; flow:to_client,established; content:"-> HD Password:"; content:"-> Welcome and have fun! :)"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/7b1566227ed2c8f74c3bae10695e79c0a4a2f570625697d601798d6924ba1fdf/analysis/; reference:url,www.virustotal.com/en/file/b48b90551b289596e89045b621a5746944e5407833830b25592908ac38eec8f7/analysis/; classtype:trojan-activity; sid:30924; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Sefnit outbound connection"; flow:to_server,established; content:"en-us|0D 0A|UA-CPU: x86|0D 0A|User-Agent:"; fast_pattern:only; content:"Cookie: "; offset:180; content:"Content-Length: "; within:20; distance:40; content:"Max-Forwards: "; within:14; distance:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/c172dccfabe09aae0ff73b97499b5dc56647701ceb60ecc922e4b987c2f3de4b/analysis/; classtype:trojan-activity; sid:30923; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Phelshap variant outbound connection"; flow:to_server,established; content:"/cgi-bin/wctrlog.cgi?ip="; fast_pattern; http_uri; content:"&compn="; within:22; http_uri; content:"&usr="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJANDROPPER:WIN32/PHELSHAP.A; reference:url,virustotal.com/en/file/58c046f8c9cc662bcd5ba79724a246c08f0c55cb49d3842295d4c35533b987ca/analysis/; classtype:trojan-activity; sid:30917; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8766 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:":8766|0D 0A|Connection|3A 20|"; fast_pattern:only; content:"/?a|20|HTTP/1."; depth:25; content:!"Referer|3A 20|"; content:!"Accept|3A 20|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58cc1e70465e5f608fd5de17dff59af8354e0356b75ebc8f4795eacaa07ef8d3/analysis/; classtype:trojan-activity; sid:30955; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9883 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:":9883|0D 0A|Connection|3A 20|"; fast_pattern:only; content:"/?a|20|HTTP/1."; depth:25; content:!"Referer|3A 20|"; content:!"Accept|3A 20|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58cc1e70465e5f608fd5de17dff59af8354e0356b75ebc8f4795eacaa07ef8d3/analysis/; classtype:trojan-activity; sid:30954; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:":23|0D 0A|Connection|3A 20|"; fast_pattern:only; content:"/?a|20|HTTP/1."; depth:25; content:!"Referer|3A 20|"; content:!"Accept|3A 20|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58cc1e70465e5f608fd5de17dff59af8354e0356b75ebc8f4795eacaa07ef8d3/analysis/; classtype:trojan-activity; sid:30953; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Botintin outbound connection"; flow:to_server,established; content:"/.bot/"; depth:6; fast_pattern; http_uri; content:"hwid="; distance:0; http_uri; content:"os="; distance:0; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ea9d1b246be2a1a9b1a2ac25158a513a7a1b1d71720e6923fdfab5aa79fe0b2e/analysis/; classtype:trojan-activity; sid:30947; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Worm.Winiga FTP login attempt"; flow:to_server,established; content:"PASS m1368cloob"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/cc86b53c7e80d04743f157916f666f6753ad2c61f2f3906eca2a7ee0bc972201/analysis/; classtype:trojan-activity; sid:30945; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/hunter/123/order.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:31020; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; content:"Content-Length: 90|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Connection: Close|0D 0A|"; http_header; content:"="; depth:1; offset:1; http_client_body; content:!"="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31014; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Sisbot variant outbound IRC connection"; flow:to_server,established; content:"PRIVMSG #h@x0r :I'm here to serve you master!"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http, service ircd; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3aMSIL%2fSisbot.A; reference:url,virustotal.com/en/file/8c33108b9a5486e10d6d31e78885c84cd41ef6188767a4bb5f6b1bc01952575b/analysis/; classtype:trojan-activity; sid:31010; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Iplorko.A runtime detection"; flow:to_server,established; content:"form"; nocase; http_uri; content:"QUVAAx"; fast_pattern:only; content:"QUVAAx"; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58a8150e515a8c747389e6e79b12542b32ecf8127597b228df96b51b2871a777/analysis/; classtype:trojan-activity; sid:31007; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nethief initial outbound connection"; flow:to_server,established; content:"/update7/pic"; fast_pattern:only; http_uri; urilen:17; content:!"User-Agent: Mozilla/"; http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E806B8A995B9C84FFF49CCC28EDA497DC9039436C700C54F2C811D2C000E80A6/analysis/; classtype:trojan-activity; sid:31006; rev:1;)
alert udp $HOME_NET [1024:] -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nethief information disclosure attempt"; flow:to_server; dsize:363; content:"S-1|00|"; depth:65; offset:16; content:"MB|00 00 00 00 00 00 00 00|"; within:70; distance:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E806B8A995B9C84FFF49CCC28EDA497DC9039436C700C54F2C811D2C000E80A6/analysis/; classtype:trojan-activity; sid:31005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nethief information disclosure attempt"; flow:to_server,established; content:"/index.htm"; http_uri; urilen:10; content:"Content-Length: 363"; fast_pattern:only; http_header; content:"S-1|00|"; depth:65; offset:16; http_client_body; content:"MB|00 00 00 00 00 00 00 00|"; within:70; distance:200; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E806B8A995B9C84FFF49CCC28EDA497DC9039436C700C54F2C811D2C000E80A6/analysis/; classtype:trojan-activity; sid:31004; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kimsuky variant outbound connection"; flow:to_server,established; content:"/xhrupload.php"; fast_pattern:only; http_uri; content:"User-Agent: User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securelist.com/en/analysis/204792305/The_Kimsuky_Operation_A_North_Korean_APT; reference:url,virustotal.com/en/file/53e3cdbfbfb4fe673e10c8bdadc5d8790e21d01f0b40ffde0a08837ab9a3df91/analysis/; classtype:trojan-activity; sid:31002; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection"; flow:to_server,established; flowbits:isset,file.xls&file.ole; file_data; content:"|8B 0C 24 83 C4 04 8D 49 12 41 80 31 67 80 39 90 75 F7 0D 70 0F CF 0F 63 67|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,www.virustotal.com/en/file/2271d99e4a0e9d4198c092637d8f3296c1ce781eb2ebf81f2c1a0e2ca62cb6b5/analysis/; classtype:trojan-activity; sid:30991; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Shiqiang Gang malicious XLS targeted attack detection"; flow:to_client,established; flowbits:isset,file.xls&file.ole; file_data; content:"|8B 0C 24 83 C4 04 8D 49 12 41 80 31 67 80 39 90 75 F7 0D 70 0F CF 0F 63 67|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,www.virustotal.com/en/file/2271d99e4a0e9d4198c092637d8f3296c1ce781eb2ebf81f2c1a0e2ca62cb6b5/analysis/; classtype:trojan-activity; sid:30990; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vondola information disclosure attempt"; flow:to_server,established; content:"/sm2e.php"; fast_pattern:only; http_uri; urilen:9; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| en-US|3B| rv|3A|1.9.0.4)|0D 0A|"; http_header; content:"Connection: Close|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b45520d0d0ef1dc1c85325ed067465fbb9a996494439eafe0f73eb81a94caaaa/analysis/; classtype:trojan-activity; sid:30988; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vondola configuration file download attempt"; flow:to_server,established; content:"/configpublic96.dat"; fast_pattern:only; http_uri; urilen:19; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| en-US|3B| rv|3A|1.9.0.4)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b45520d0d0ef1dc1c85325ed067465fbb9a996494439eafe0f73eb81a94caaaa/analysis/; classtype:trojan-activity; sid:30987; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Tenexmed inbound shell command attempt"; flow:to_client,established; content:"!@#$%^ cmd"; fast_pattern:only; dsize:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/475a420bf4b2d73a9704e624443bd8165ff06cae778c4787cb6a38ae52d2feef/analysis/; classtype:trojan-activity; sid:30986; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tenexmed outbound connection"; flow:to_server,established; content:"/html/index.htm"; http_uri; urilen:15; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B|)|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A| no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/475a420bf4b2d73a9704e624443bd8165ff06cae778c4787cb6a38ae52d2feef/analysis/; classtype:trojan-activity; sid:30985; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 89 (msg:"MALWARE-CNC Win.Trojan.Vonriamt outbound connection"; flow:to_server,established; content:"Info|7C|"; depth:5; fast_pattern; content:"|7C|Win"; within:150; distance:20; content:" x"; within:50; distance:5; content:"|7C|"; within:1; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/4487f66d09245193f7566ec6114d80dbdb69663324f00d843fafbb783ac2d70e/analysis/; classtype:trojan-activity; sid:30984; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Karnos variant outbound connection"; flow:to_server,established; content:"/tj/set.asp"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"s="; depth:2; http_client_body; content:"&h="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c6b1581aa0d8e1b95545d676f68aa32cacd55750e2562ddd66b979d7bc07ee47/analysis/; classtype:trojan-activity; sid:30983; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Karnos variant outbound connection"; flow:to_server,established; content:"/plugin/accept/searchlog"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"data=eyJob3N0Ijo"; depth:16; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,virustotal.com/en/file/c6b1581aa0d8e1b95545d676f68aa32cacd55750e2562ddd66b979d7bc07ee47/analysis/; classtype:trojan-activity; sid:30982; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gisetik information disclosure attempt"; flow:to_server,established; content:"/syskit/signer.php"; http_uri; urilen:18; content:"Content-Disposition|3A| form-data|3B| name=|22|GhostTime|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b79f8700762eb2ee39e5d03f17615af50e5ecf75facf57a6e67a7355ebb0d4e3/analysis/; classtype:trojan-activity; sid:30979; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 48919 (msg:"MALWARE-CNC Win.Trojan.Rbrute inbound connection"; flow:to_server,established; dsize:<40; content:"|E0 72 09 AB D5 4F 6E BC 87 B3 3F|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a17fd494bd921d3423c07180a28452344d610824d31fd4ebadf933c88c6f6021/analysis/; classtype:trojan-activity; sid:30978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Jaik variant outbound connection"; flow:to_server,established; content:"/stat?uid="; depth:15; content:"&downlink="; within:70; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass="; distance:0; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d6d701353be6799ff518f6f3bde9edb3304d688341f854705af10b5024f0fc79/analysis/; classtype:trojan-activity; sid:30977; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b381b74fcfd2e4db73689af/analysis/; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cryptodefence variant outbound connection"; flow:to_server,established; stream_size:client,=,125; ssl_state:unknown; content:"|02 00 00 00|"; depth:4; content:!"|00|"; distance:0; byte_extract:3,25,key; byte_test:3,=,key,121; isdataat:!124; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a81d44741a8609c817eeba55da7e20d47fc28a380cd1862a323de3886959134d/analysis/; classtype:trojan-activity; sid:31033; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadnessPro outbound connection"; flow:to_server,established; content:"/?"; http_uri; content:"uid="; http_uri; content:"&mk="; fast_pattern; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-activity; sid:31053; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hesperbot variant outbound connection"; flow:to_server,established; content:"User-Agent: def-ua"; fast_pattern:only; content:"Referer: def-ref"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,symantec.com/security_response/writeup.jsp?docid=2013-090617-0331-99; reference:url,virustotal.com/en/file/68d5eb8b59e69e07bcfa775030add4c9e6b17e9325d937d2dcb61440e784a29d/analysis/; reference:url,welivesecurity.com/2013/09/04/hesperbot-a-new-advanced-banking-trojan-in-the-wild/; classtype:trojan-activity; sid:31051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.WinSpy variant outbound connection"; flow:to_server,established; content:"Current User|3A|"; content:"PC_Active_Time.txt"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/827756a753ecd5e81a538b800fd02d22d1d2de23f19e88b7ce796a4df9086c27/analysis/; classtype:trojan-activity; sid:31081; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"log?install"; fast_pattern:only; http_uri; content:"|7C|aid="; nocase; http_uri; content:"|7C|version="; within:15; nocase; http_uri; content:"|7C|id="; within:10; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/domain/exactlyfind.com/information/; classtype:trojan-activity; sid:31080; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/click.php?c="; fast_pattern:only; http_uri; pcre:"/click.php\?c=\w{160}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:31079; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RemoteSpy connection to CNC server"; flow:to_server,established; content:"/upload.php"; http_uri; content:"POST"; http_method; content:"Host: www.remotespy.com"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/be96bf02764332f3560addd0d6fdbcb70bc6a71496d126d0447d4b7f0cf80d7f/analysis/; classtype:trojan-activity; sid:31073; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Cryfile variant outbound connection"; flow:to_server,established; file_data; content:"Subject: Locked:"; fast_pattern:only; content:"PC:"; content:"ID:"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/65b60abfe53b75ed59eaded22f1ee1645699e0776a3e3d2bc33e579c980c9c1d/analysis/; classtype:trojan-activity; sid:31072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/docs/index.php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/octet-stream"; http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tobinload variant outbound connection"; flow:to_server,established; urilen:28,norm; content:"/navrh/images/tcss/view"; fast_pattern:only; http_uri; content:"---41284622334|0D 0A|"; http_header; content:!"User-Agent|3A|"; http_header; content:"name=|22|userfile|22 3B|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/09c3cb4a2b7884943a82d629cccf192edb97d89e1ebd9ea815d5109a8eacbb2f/analysis/; classtype:trojan-activity; sid:31066; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Diatraha variant outbound connection"; flow:to_server,established; file_data; content:"Username|20 3A 20|"; depth:11; content:"|0D 0A|Ip|20 3A 20|"; distance:0; content:"|0D 0A|WindowsVersion|20 3A 20|"; within:34; content:"|0D 0A|UI Language|20 3A 20|"; distance:0; content:"|0D 0A|AntiVirus|20 3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/e028999765bf1bec34ed27f13fe0f75779724f269680d85dec457466936ee1a3/analysis/; classtype:trojan-activity; sid:31064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Expone FTP login attempt"; flow:to_server,established; content:"PASS 1qayse4rfvgz7"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/17fb2c694f47f113f77481a1f520ccaf5c51a6e2f5900288802be48a895753be/analysis/; classtype:trojan-activity; sid:31063; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expone variant outbound connection"; flow:to_server,established; urilen:14,norm; content:"expl"; depth:4; offset:2; nocase; http_uri; content:"rer.exe"; within:7; distance:1; nocase; http_uri; content:"User-Agent|3A| AutoIt|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/17fb2c694f47f113f77481a1f520ccaf5c51a6e2f5900288802be48a895753be/analysis/; classtype:trojan-activity; sid:31062; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:13,norm; content:"/j2/index.php"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV2|0D 0A|"; http_header; content:"rotina=rection&maq="; depth:19; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/29dbd4016b38a14221c7f2fc816094ac6945a44480dba67ade4c58aa5965a40d/analysis/; classtype:trojan-activity; sid:31055; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:11; content:"/srt/ge.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojan-activity; sid:31084; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5013 (msg:"MALWARE-CNC Win.Trojan.Bexelets variant outbound connection"; flow:to_server,established; content:"|A9 A2 AC E1 DE DA BE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/9dd48de24501974c93c697a788555b2dd7e3589154f4808cdf2112ca46f59cdb/analysis/; classtype:trojan-activity; sid:31083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Solimba download attempt"; flow:to_server,established; content:"/installer/4dc9054e-38b0-4614-bdd5-20605bc06f26/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Solimba-A.aspx; classtype:trojan-activity; sid:29417; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Spyrat variant outbound backdoor response"; flow:to_server,established; flowbits:isset,spyrat_bd; dsize:<75; content:"pong|7C|"; depth:5; metadata:policy security-ips drop; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:31145; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Spyrat variant inbound backdoor keep-alive"; flow:to_client,established; dsize:<75; content:"ping|7C|"; depth:5; flowbits:set,spyrat_bd; metadata:policy security-ips drop; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:31144; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sloft variant outbound connection"; flow:to_server,established; content:"/core.php"; fast_pattern:only; http_uri; content:"99=1"; http_client_body; content:"&ver="; within:5; nocase; http_client_body; content:"&req="; within:10; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4607b47f6ac0023c2a6e0366a341c2512915880f01f77b875a6a34bd3f1c68ec/analysis/; classtype:trojan-activity; sid:31142; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:31136; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Deedevil variant outbound connection"; flow:to_server,established; content:"fd/m.php?"; fast_pattern:only; http_uri; pcre:"/m.php\?do=(getvers|status|getcmd)/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9bd357275d348fdc6a472317b36af6d17e7676d47fdfd16eb9fe6ba8f2132e04/analysis/; classtype:trojan-activity; sid:31135; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"MALWARE-CNC Win.Trojan.Petun variant outbound connection"; flow:to_server,established; content:"Project Neptune=0D=0A=0D=0AUsername"; fast_pattern:only; content:"Available Physical Memory"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/944ea13ff13817dbf2cc9da2fe07f71928fe61813221b4f298841f0d14c2201b/analysis/; classtype:trojan-activity; sid:31132; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2145 (msg:"MALWARE-CNC Win.Trojan.Petun variant outbound connection"; flow:to_server,established; content:"Project Neptune"; fast_pattern:only; content:"Windows Key:"; nocase; pcre:"/Windows\s+?Key:\s+?\w{5}-\w{5}-\w{5}-\w{5}-\w{5}/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,www.virustotal.com/en/file/944ea13ff13817dbf2cc9da2fe07f71928fe61813221b4f298841f0d14c2201b/analysis/; classtype:trojan-activity; sid:31131; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"MALWARE-CNC Win.Trojan.Pyrtomsop outbound connection"; flow:to_server,established; content:"-----7da3e1bd0314"; fast_pattern:only; content:"/upload.php"; depth:11; offset:5; content:"|5C|Temp|5C|"; distance:0; content:".zip"; within:40; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/94d16154d1195d3b2822ec405ed95c0f5c9bb67db324d70224a3e0719e2aad80/analysis/; classtype:trojan-activity; sid:31124; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cahecon outbound connection"; flow:to_server,established; urilen:8,norm; content:"/black/?"; http_uri; content:"tipo=alivei&cliente=teste"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/508561492552a31b500c6d59b7c9e200395137bc821f551b3c10067719f1a758/analysis/; classtype:trojan-activity; sid:31121; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marmoolak variant outbound connection"; flow:to_server,established; content:"ProgramMail/Sendmail.cgi"; fast_pattern:only; http_uri; content:"Marmoolak"; nocase; http_client_body; content:"Red-Move.tk"; within:15; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/365771001a70969560497800b1e017b8d77fdfb0ff60bb9e9d0aeb0902a9afcf/analysis/; classtype:trojan-activity; sid:31119; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Garsuni variant outbound connection"; flow:to_server,established; content:"/sugar.php"; nocase; http_uri; content:"DyDns + No-Ip + FTP + Yahoo + Msn + Paltalk"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fcfc20e05634348cf024a1e69ed43c06253699e30f8a895041b80218cf4af15c/analysis/; classtype:trojan-activity; sid:31116; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5655 (msg:"MALWARE-CNC Win.Trojan.Rfusclient outbound connection"; flow:to_server,established; content:"|3C 00|r|00|m|00|a|00|n|00 5F 00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/96472d07e6eb4209b4d7655755514081dc4bff4605fcbed277fcbec7609e27ae/analysis/; classtype:trojan-activity; sid:31114; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:")&dt="; fast_pattern:only; http_client_body; content:"pc="; depth:3; http_client_body; content:"&av="; distance:0; http_client_body; content:"&wd="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31113; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos password stealing attempt"; flow:to_server,established; content:"rotina=plogin&login="; fast_pattern:only; http_client_body; content:"&senha="; http_client_body; content:"&casa="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sapart variant outbound connection"; flow:to_server,established; urilen:>250; content:"share.php"; nocase; http_uri; content:"method=Share.download"; nocase; http_uri; content:".exe&fsize="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0e38ec4b931b4c8507605fc213885a09db46a5a0e5f5f883da90ce26956914da/analysis/; classtype:trojan-activity; sid:31174; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection"; flow:to_server,established; urilen:>140; content:"res.aspx?ch="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/545428C82BCFA47F7AAD774C96B95E49D8DDC46968C543277DE63A771E7419C2/analysis/; classtype:trojan-activity; sid:31173; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection"; flow:to_server,established; urilen:12<>14; content:"ref.aspx?s"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/545428C82BCFA47F7AAD774C96B95E49D8DDC46968C543277DE63A771E7419C2/analysis/; classtype:trojan-activity; sid:31172; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scarpnex variant outbound connection"; flow:to_server,established; urilen:14; content:"/tmp/rmf26.jpg"; fast_pattern:only; http_uri; content:!"Accept:"; nocase; http_header; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/545428C82BCFA47F7AAD774C96B95E49D8DDC46968C543277DE63A771E7419C2/analysis/; classtype:trojan-activity; sid:31171; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8082 (msg:"MALWARE-CNC Win.Trojan.Guise outbound connection"; flow:to_server,established; dsize:<120; content:" - "; depth:66; offset:1; content:"|07|Win"; within:24; distance:1; pcre:"/ \x2D .{1,20}\x07(LAN|PROXY|MODEM|MODEM BUSY|UNKNOWN)\x07Win/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/84a1fa9834571f680315f430fd3be2848f47c7d3877df72be99376e2a4721ef9/analysis/; classtype:trojan-activity; sid:31168; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zadnilay variant outbound connection"; flow:to_server,established; content:"|CE D7 41 87 C6 9F AC 87 02 73 DA 87 7A 9B 5F 87|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/de45aea52b967801a8a95330af9d1cefae5fb764d657071ba76000411a92d7e1/analysis/; classtype:trojan-activity; sid:31147; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:18<>19; content:"POST"; http_method; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:2; distance:7; http_uri; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{7,8}\/$/U"; content:"Trident/5.0"; fast_pattern:only; http_header; content:!"Referer"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31218; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankeiya outbound connection"; flow:to_server,established; content:"/xe/bbs/board.php"; nocase; http_uri; content:"User-Agent|3A| NateOn|2F|"; fast_pattern:only; http_header; content:"&a13=XM&a14="; http_client_body; pcre:"/_X(86|64)&a4=/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2fd17c062988ac50c2490bf2ede06add8a4b4c17bdbe46c3657f3487c4542113/analysis/; classtype:trojan-activity; sid:31183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5000 (msg:"MALWARE-CNC Win.Trojan.Hidead outbound connection"; flow:to_server,established; content:"|19 83 19 84 00 00 00 01 00 00|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/ebb3751bbaa54eaaeb77b0adc13c7000b657bf07342ff9ef91386504064990bb/analysis/; classtype:trojan-activity; sid:31236; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [9003,9400] (msg:"MALWARE-CNC Win.Trojan.Nuckam variant outbound connection"; flow:to_server,established; dsize:50; content:"|2E 00 00 00 83 13 14 6E 5B 4F 77 29|"; depth:12; content:"|C7 21|"; within:2; distance:36; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/e904f850f870ed82859850ae1df67a29dfe69cbba034e74011e4ec0cc758c711/analysis/; classtype:trojan-activity; sid:31235; rev:1;)
alert tcp $EXTERNAL_NET [9003,9400] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Nuckam variant inbound connection"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01 00 0C 24|"; depth:12; content:"-"; within:1; distance:8; content:"-"; within:1; distance:4; content:"-"; within:1; distance:4; content:"-"; within:1; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/e904f850f870ed82859850ae1df67a29dfe69cbba034e74011e4ec0cc758c711/analysis/; classtype:trojan-activity; sid:31234; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Soraya variant initial outbound connection"; flow:to_server,established; content:"/bot.php"; nocase; http_uri; content:"mode=1&uid="; fast_pattern:only; http_client_body; content:"&osname="; nocase; http_client_body; content:"&compname="; within:47; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; reference:url,www.securityweek.com/soraya-malware-mixes-capabilities-zeus-and-dexter-target-payment-card-data; reference:url,www.virustotal.com/en/file/a776441157ea06d5a133edde3cf7f63bda2df69fdfbf23db2852c9882eae8112/analysis/; classtype:trojan-activity; sid:31228; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptor outbound connection"; flow:to_server,established; urilen:<15; content:"2.0.50727|3B| .NET CLR 3.0.04506.30|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| .NET CLR 4.0.3219|29|"; fast_pattern:only; http_header; content:"/b/shoe/"; http_uri; content:"Host: mix-juert.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/679c0c3c31a37cc239a53872653e9bd99cfe0dc18343f7ab34002105a4ebd6f0/analysis/; classtype:trojan-activity; sid:31224; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"|3D|"; depth:2; offset:1; http_client_body; content:"Content-Length: 102"; fast_pattern:only; http_header; pcre:"/^[a-z]\x3D[0-9a-z]{100}$/Pm"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:31223; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; urilen:17; content:"/second/game1.inf"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31222; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/notify.php HTTP/1.0|0D 0A|"; fast_pattern:only; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; content:"Content-Length: 0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31221; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.VBNA variant outbound connection"; flow:to_server,established; content:"/0.gif?"; depth:7; http_uri; content:" HTTP/1.1|0D 0A|Host: sstatic1.histats.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/; reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d670077eca14a0f4309f9e26/analysis/; reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf452f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity; sid:31262; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi outbound connection"; flow:to_server,established; content:".inf HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; pcre:"/\)\r\nHost\x3a\x20[\d\x2e]{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity; sid:31261; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt"; flow:to_client,established; file_data; content:"function FindProxyForURL(url, host)"; depth:35; content:"yx0=0|3B|yx1=1|3B|yx2=2|3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22 22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnet-hosted.html; classtype:trojan-activity; sid:31260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Destoplug variant outbound connection"; flow:to_server,established; urilen:10,norm; content:"POST"; http_method; content:"/login.asp"; http_uri; content:"Accept-Language|3A| zh-cn|0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Content-Length|3A|"; http_header; content:"duq1"; depth:4; offset:189; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f3a4dee7c4bdbff7555c8ec630fe20616a74f8ecb40ce6621a53af9f724d5005/analysis/; classtype:trojan-activity; sid:31258; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HAVEX-RAT variant outbound connection"; flow:to_server,established; urilen:>100; content:"php?id="; nocase; http_uri; content:"&v1="; distance:0; http_uri; content:"&v2="; distance:0; http_uri; content:"&q="; distance:0; http_uri; pcre:"/q=[a-f0-9]+$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/file/ebb16c9536e6387e7f6988448a3142d17ab695b2894624f33bd591ceb3e46633/analysis/; classtype:trojan-activity; sid:31255; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.HAVEX-RAT inbound connection to infected host"; flow:to_client,established; file_data; content:"havexhavex-->"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.businessinsider.com/countries-targeted-by-russia-hack-2014-1; reference:url,www.virustotal.com/en/file/ebb16c9536e6387e7f6988448a3142d17ab695b2894624f33bd591ceb3e46633/analysis/; classtype:trojan-activity; sid:31254; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; urilen:43; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; content:"Firefox/"; distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:31244; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:15; content:"/news/index.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojan-activity; sid:31243; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Utishaf variant outbound connection"; flow:to_server,established; content:"/google/command.asp"; fast_pattern:only; http_uri; content:"hostname="; http_uri; content:"DC="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/e5a0a4943723bd6dd8fadd4e2efa0ef0a6040f2ea09c4130d12430b344bf4eb0/analysis/; classtype:trojan-activity; sid:31242; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection"; flow:to_server,established; content:"Key logger is now on"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/d0305e07f449c73e6a49b38e6e2ef1087690788747fbcbf594d44f8bff11b879/analysis/; classtype:trojan-activity; sid:31241; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dosoloid variant outbound connection"; flow:to_server,established; urilen:7; content:"/ip.dat"; fast_pattern:only; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/d0305e07f449c73e6a49b38e6e2ef1087690788747fbcbf594d44f8bff11b879/analysis/; classtype:trojan-activity; sid:31240; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Toumlec variant outbound connection"; flow:to_server,established; content:"/api/soft4/openbook/?&p="; depth:24; http_uri; content:"|0D 0A|"; within:2; distance:64; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virusradar.com/en/Win32_LockScreen.BDU/description; reference:url,virustotal.com/en/file/579117dea6edc4405a0426b6511ae2a158a4d1970e968eb4799ebd9d4a43d353/analysis/; classtype:trojan-activity; sid:31307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Toumlec variant outbound connection"; flow:to_server,established; content:"/api/soft4/dump/?&affid="; depth:24; http_uri; content:"&sid="; within:5; distance:6; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virusradar.com/en/Win32_LockScreen.BDU/description; reference:url,virustotal.com/en/file/579117dea6edc4405a0426b6511ae2a158a4d1970e968eb4799ebd9d4a43d353/analysis/; classtype:trojan-activity; sid:31306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hadeki variant outbound connection"; flow:to_server,established; content:"Keylogger-Output"; fast_pattern:only; http_uri; content:"Date:"; http_uri; content:"Time:"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/file/5ac34962a097055f6daa3a7bae347a8e7b8e8a0b32038d19f74f4f39cb9e87d9/analysis/; classtype:trojan-activity; sid:31303; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:!"User-Agent"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:10,>,50,0,relative,string,dec; byte_test:10,<,250,0,relative,string,dec; content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache"; http_header; content:"Content-Type|3A 20|application/octet-stream"; http_header; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:service http; classtype:trojan-activity; sid:31299; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"/workers.php?mac="; fast_pattern:only; http_uri; content:"&gpu="; http_uri; content:!"|0D 0A|User-Agent:"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_server,established; content:"/publickey/ HTTP/1.1|0D 0A|User-Agent: Wget/1.9|0D 0A|Host: "; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:31293; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vextstl outbound connection"; flow:to_server,established; content:"vKey=APOCALYPSELEGENDZ&uID"; fast_pattern:only; http_client_body; content:"&cID="; offset:26; http_client_body; content:"&vCountry="; within:75; http_client_body; content:"&vLang="; distance:0; http_client_body; content:"&vVer="; distance:0; http_client_body; content:"&vOS="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c9e47868860fea9232c52ee05f367b8b88a91c762b5e88bec2fa4217b0e8ce31/analysis/; classtype:trojan-activity; sid:31290; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Bladabindi variant outbound download request"; flow:to_server,established; content:!"User-Agent: "; http_header; content:"?gu="; http_uri; content:"&e="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader%3aMSIL%2fBladabindi.A; reference:url,virustotal.com/en/file/cff1ca60680289b65c040322285a5704d44cde672cfed3fe15d216a3d2b93fa1/analysis/; classtype:trojan-activity; sid:31288; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vectecoin coin mining program download attempt"; flow:to_server,established; content:"/KVAZVB/files/"; fast_pattern:only; http_uri; content:"User-Agent|3A| AutoIt|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8cc48dd39dccd0944516c086be2a368a38f7cb3d56e2a05aa0bf750fb52d63b4/analysis/; classtype:trojan-activity; sid:31273; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vectecoin outbound command request attempt"; flow:to_server,established; content:"/KVAZVB/command.php?uid="; fast_pattern:only; http_uri; content:"&task="; nocase; http_uri; content:"User-Agent|3A| AutoIt|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8cc48dd39dccd0944516c086be2a368a38f7cb3d56e2a05aa0bf750fb52d63b4/analysis/; classtype:trojan-activity; sid:31272; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vectecoin information disclosure attempt"; flow:to_server,established; content:"/KVAZVB/accept.php"; fast_pattern:only; http_uri; urilen:18; content:"&gpu_1"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8cc48dd39dccd0944516c086be2a368a38f7cb3d56e2a05aa0bf750fb52d63b4/analysis/; classtype:trojan-activity; sid:31271; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rofin variant outbound connection"; flow:to_server,established; urilen:>130; content:"/txt/"; fast_pattern:only; http_uri; content:"ver="; nocase; http_uri; content:"uid="; within:10; nocase; http_uri; content:"lip="; within:20; nocase; http_uri; content:"mac="; within:25; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b50b4aed7b69ae40173c3d3560e0cef246ab31ff4413690bb4dd6af4bc2a0ffc/analysis/; classtype:trojan-activity; sid:31328; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zediv outbound connection"; flow:to_server,established; content:"User-Agent: MyAgent"; fast_pattern:only; http_header; content:"?cmd=1&u="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/70f11ac22ac6d01dd211868b5299f2535213b8e2f01f6a7332d19f1749c5562f/analysis/; classtype:trojan-activity; sid:31319; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3001 (msg:"MALWARE-CNC Win.Trojan.Orbot variant outbound connection"; flow:to_server,established; content:"/ba_log.asp?game=install"; fast_pattern:only; content:"User-Agent: WebForm 1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0d02d1653ccffe6bb74763e09da16ba988200a92dedf308447ea6dbd4bd7d489/analysis/; classtype:trojan-activity; sid:31317; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsnu variant outbound connection"; flow:to_server,established; content:"Fiur5sDzx2col.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9930bcad32f2eb128e9c3627681a17abdf7618a7b9f5923dd83a1532ba74d31d/analysis/; classtype:trojan-activity; sid:31316; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL variant outbound connection"; flow:to_server,established; content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/; classtype:trojan-activity; sid:31315; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Daikou variant outbound connection"; flow:to_server,established; content:"/bbs/download/log.asp"; fast_pattern:only; http_uri; content:"n="; http_uri; content:"id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f36b89585c818f588dbc6e47dcede346136b60402ddc62e68d2c1cde9cd6e8dd/analysis/; classtype:trojan-activity; sid:31314; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bicololo outbound connection"; flow:to_server,established; content:"/get_json?stb="; http_uri; content:"&did="; within:5; distance:1; http_uri; content:"User-Agent|3A| Downloader 1.3|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/FC69E79BA0CEED6843156244E3B0E68D85EEAEC7059A4B180CB10C19E8B1D4E6/analysis/; classtype:trojan-activity; sid:31355; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 86 (msg:"MALWARE-CNC Win.Trojan.Ajtonj variant outbound connection"; flow:to_server,established; urilen:>350; content:"/users/01/login.asp"; fast_pattern:only; http_uri; content:"User-Agent: http://"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/235fe516a724bab50a3f20bddc53ab7b75aa861ad87f5181f5a485788c672eb0/analysis/; classtype:trojan-activity; sid:31346; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mcdravsm variant outbound connection"; flow:to_server,established; content:"ORr9s6IXnkLe4v0oYu9J"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/67bd81f4c5e129d19ae71077be8b68dc60e16c19019b2c64cdcedca1f43f0ae3/analysis/; classtype:trojan-activity; sid:31345; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Levyatan variant outbound connection"; flow:to_server,established; content:"/Leviathan/includes/get.php"; fast_pattern:only; http_uri; content:"User-Agent: levia"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/7a455eb1784db7f42cf44d1b0b53ca7a5f082d88d95424e286d505397465544/analysis/; classtype:trojan-activity; sid:31344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mecklow variant outbound connection system information disclosure"; flow:to_server,established; content:"index_refer: "; fast_pattern:only; http_header; content:"/GAUV96.jsp?="; depth:13; http_uri; content:!"Accept: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=BACKDOOR:WIN32/SHOCO.C; reference:url,virustotal.com/en/file/3ab6658abd6f75a37ba08769e934b5ed14d55afaafc615cee7421e7477227978/analysis/; classtype:trojan-activity; sid:31343; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Httneilc variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A| HTClient|3B| .NET CLR 1.1.4336|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A| 128|0D 0A|"; http_header; pcre:"/^\x2f[0-9]{4,10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/82d3fbecd209d6e8282b20f4c3cf831132e480d60ea908622100325346bb9294/analysis/; reference:url,www.virustotal.com/en/file/e6362c998482d27367bb4344442bd2bd4d26e8455733029f87d19930c89e7cb8/analysis/; classtype:trojan-activity; sid:31359; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kegis.A outbound connection"; flow:to_server,established; content:"/support/virscan"; fast_pattern:only; http_uri; content:"type=trial"; http_uri; content:"charge=free"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2f6f2b5b356db1620fecdbf92fbaf7abffec0d8d79893c809bdd31a0169ecbc8/analysis/; classtype:trojan-activity; sid:31424; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Subla variant outbound connection"; flow:to_server,established; content:"php?getcmd=1&uid="; http_uri; content:"&port="; distance:0; http_uri; content:"|3A 3A|"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/669cf6c87a16ea8e243d408a96210491dd18b3fe3d974c545f25426836392fbb/analysis/; classtype:trojan-activity; sid:31418; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:<17; content:"HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Connection: Close|0D 0A|Content-Length: 100|0D 0A|User-Agent: "; fast_pattern:only; content:"="; depth:1; offset:1; http_client_body; pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established; urilen:<20; content:"User-Agent|3A 20|macrotest|0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]{3}\x2eccs/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:4; content:"/re/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e279651c8f19fa6392f3d837/analysis/; reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MSIL Worm command and control connection"; flow:to_server,established; content:"&v=1.0.0VB&s="; fast_pattern:only; http_client_body; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/0376f3a89d856029e09a7c735da0c6c51097c7f9f46a6297316b63162a9fb638/analysis/; classtype:suspicious-login; sid:31433; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/viewforum.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:!"Referer:"; http_header; content:!"Cookie:"; http_header; pcre:"/sid=[0-9A-F]{32}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc05835afa772fde8627e72b2/analysis/; classtype:trojan-activity; sid:31468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:9; content:"/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D 0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"/query?version="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&ref="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31465; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1177,81] (msg:"MALWARE-CNC Win.Trojan.Jaktinier outbound connection"; flow:to_server,established; content:"lv|7C 27 7C 27 7C|"; fast_pattern:only; content:"|7C 27 7C 27 7C|Win"; offset:20; content:"|7C 27 7C 27 7C|[endof]"; distance:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/e055b597e5eb7aa86762891dbb1e1444b2ed38736705574870f2cb2664a668c7/analysis/; classtype:trojan-activity; sid:31459; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SDBot variant outbound connection"; flow:to_server,established; urilen:8; content:"/install"; http_uri; content:"argc="; depth:5; http_client_body; content:"&name="; distance:0; http_client_body; content:"&previous="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.HW32 variant spam attempt"; flow:to_server, established; content:"MAIL FROM: <Reademal.com>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,8080,443] (msg:"MALWARE-CNC Win.Trojan.CosmicDuke HTTP data exfiltration attempt"; flow:to_server,established; content:"/index.php?i="; depth:25; fast_pattern; content:!"&"; within:40; content:"|20|HTTP"; within:5; distance:40; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/cb4fc98f33021ac890e717f8927bfcaddaaacac9bf9be71578c7baaf9f9cbf02/analysis/; classtype:trojan-activity; sid:31556; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Yakes variant inbound connection"; flow:to_client,established; content:"tfardci_session="; fast_pattern:only; content:"tfardci_session="; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0315e00abdd546832b5a42fb8dd819904dfb8463edddd9f4fa66e6df6c33e0ea/analysis/; reference:url,www.virustotal.com/file/f829808c506180657ea490e4280b7613d6e0b0d711f37762ddaa8f1b9e4713a2/analysis; classtype:trojan-activity; sid:31548; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes variant inbound connection"; flow:to_server,established; content:"|44 0A 17 17 0C 46 44 1F 1D 0C 27 15 17 1C 0D 14 1D 58 1A 17 0C 16 1D 0C 45 5A 49 4A 48 5A 58 16|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/0315e00abdd546832b5a42fb8dd819904dfb8463edddd9f4fa66e6df6c33e0ea/analysis/; reference:url,www.virustotal.com/file/f829808c506180657ea490e4280b7613d6e0b0d711f37762ddaa8f1b9e4713a2/analysis; classtype:trojan-activity; sid:31547; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Koobface variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/achcheck.php"; fast_pattern:only; http_uri; content:"Content-Length|3A 20|0|0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b216a667fdfcbf402e28a72f8264ed91529a63b75610ffe98fc68caad3392d5f/analysis/; classtype:trojan-activity; sid:31545; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Koobface variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?action="; nocase; http_uri; content:"gen&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d+/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef420005a10d73b840604b517c4760400ccfc6c5baba0ae5d05ec6f88e56821e/analysis/; classtype:trojan-activity; sid:31544; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"MALWARE-CNC Win.Trojan.Xolominer malicious user detected"; flow:to_server,established; content:"|22|AXbbkuVvYbhdjCdkjNQcCgDPZHUixHY7hn"; depth:35; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/41cff4db42730a6d9b2a8c69ebc94df571c35b5983824747512f23352c9d0aae/analysis/; classtype:trojan-activity; sid:31533; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/index.php?email=libpurple_XMPP"; fast_pattern:only; http_uri; content:"&method=post"; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.CosmicDuke FTP data exfiltration"; flow:to_server,established; content:"STOR fp"; depth:7; fast_pattern; content:".bin|0D 0A|"; within:6; distance:44; pcre:"/STOR fp[0-9A-F]{44}\x2ebin/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/41d63d293a6e2722fcf82f8bf67b8f566bd4d3f669ede146ccc286f0228d8f62/analysis/; classtype:trojan-activity; sid:31564; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Backdoor Elirks.A command and control traffic"; flow:to_server,established; content:"POST"; http_method; content:"Windows NT 5.1|3B| SV1"; nocase; http_header; content:"|26|key=OK"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d710454f73fa3a18f362131a529c6e1c08cb5c83baf908faf1e5ab6d3d1ee5a4/analysis/; classtype:trojan-activity; sid:31563; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backoff initial outbound connection"; flow:to_server,established; content:"&op="; depth:4; http_client_body; content:"&id="; within:4; distance:1; http_client_body; content:"&ui="; within:4; distance:7; http_client_body; content:"&bv="; distance:0; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3a40b3fcb0707e9b5ae6dd9c7b4370b101c37c0b48fa56a602a39e6d7d5d0de5/analysis/; classtype:trojan-activity; sid:31586; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server"; flow:to_server,established; dsize:15<>18; content:"|3A|bpass|0A|"; fast_pattern:only; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Glupteba payload download request"; flow:to_server,established; content:"/software.php?"; fast_pattern:only; http_uri; content:"Accept|3A| */*"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.1|3B|"; http_header; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31606; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client"; flow:to_client,established; dsize:6; content:"READY|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client"; flow:to_client,established; dsize:6; content:"READD|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client"; flow:to_client,established; dsize:6; content:"HELLO|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SMSSend outbound connection"; flow:to_server,established; content:"sms"; http_uri; content:".ashx?t="; fast_pattern:only; http_uri; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojan-activity; sid:31593; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Noniem.A outbound connection"; flow:to_server,established; content:"/winone1/post.php?filename="; fast_pattern:only; http_uri; content:"User-Agent: Python-urllib/2.7"; http_header; content:"Accept-Encoding: identity"; http_header; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/890f88af1756ce3296ca58f26f3e96fcace00048bc5f1c13a62b896e90ddea26/analysis/; classtype:trojan-activity; sid:31633; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; urilen:16; content:"/boydn/boye.html"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31649; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established; content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|UNAVAILABLE"; http_header; content:"method="; http_client_body; content:"&app_key="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity; sid:31644; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; http_header; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D 0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/get_"; http_uri; content:"did="; distance:0; http_uri; content:"&file_id="; distance:0; http_uri; content:"User-Agent|3A| Downloader"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0F45FB61856437CB3123C4DEAC68942C17ADC6534719E583F22E3DE1F31C1CA5/analysis/; classtype:trojan-activity; sid:31689; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur variant outbound connection"; flow:to_server,established; content:"/get/?data="; depth:11; http_uri; content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9; content:"/tmps.exe"; fast_pattern:only; http_uri; content:"Proxy-Authorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9; http_cookie; content:") Chrome/"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:12; content:"/support.exe"; fast_pattern:only; http_uri; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tirabot variant outbound connection"; flow:to_server,established; content:"&string="; fast_pattern:only; http_client_body; content:"key="; depth:4; http_client_body; content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|"; http_header; content:".php"; http_uri; pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojan-activity; sid:31680; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Inbound command to php based DoS bot"; flow:to_server,established; content:".php?host="; http_uri; content:"&length="; distance:0; http_uri; content:"&port="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31672; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; content:"/gateway.php"; fast_pattern:only; http_uri; content:"val="; nocase; http_client_body; content:"&page="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:31669; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SoftPulse variant outbound connection"; flow:to_server,established; content:"Proxy-Authorization: Basic |0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36"; fast_pattern:only; http_header; urilen:>135; pcre:"/^\x2f[a-f0-9]{135}/Um"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ee87af42dda91f6ed6ccedcd20736cb1d00a96f26138c0c6698c9837c1525dee/analysis/; classtype:trojan-activity; sid:31717; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Otupsys variant outbound connection"; flow:to_server,established; content:"/el/s"; fast_pattern:only; http_uri; content:".php?"; nocase; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; http_header; pcre:"/^\/el\/\w+?\.php\?\w+?=\w{32}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0158; reference:url,www.virustotal.com/en/file/be131179c02fa7b2c6e0883a776e26a81d57b85a99410665faa604b57e87a2e8/analysis/; classtype:trojan-activity; sid:31716; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Ragua variant outbound connection"; flow:to_server,established; content:"STOR Lbtf.ugz"; depth:13; content:".ugz|0D 0A|"; within:6; distance:19; pcre:"/STOR\s+Lbtf\x2eugz(\d{2}\x2d){2}\d{4}(\x2d\d{2}){3}\x2eugz/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,securelist.com/blog/research/66108/el-machete/; reference:url,www.virustotal.com/en/file/8a510076a2ce8c3958fd953dce986185df0a255a23d736ae12b0a89a412ff080/analysis/; classtype:trojan-activity; sid:31715; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ragua variant outbound connection"; flow:to_server,established; urilen:>21; content:"/Audio/Audio.txt"; fast_pattern:only; http_uri; content:"/Audio//Audio.txt"; nocase; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securelist.com/blog/research/66108/el-machete/; reference:url,www.virustotal.com/en/file/8a510076a2ce8c3958fd953dce986185df0a255a23d736ae12b0a89a412ff080/analysis/; classtype:trojan-activity; sid:31714; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ragua variant outbound connection"; flow:to_server,established; urilen:>17; content:"/Geo/Geo.txt"; fast_pattern:only; http_uri; content:"/Geo//Geo.txt"; nocase; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securelist.com/blog/research/66108/el-machete/; reference:url,www.virustotal.com/en/file/8a510076a2ce8c3958fd953dce986185df0a255a23d736ae12b0a89a412ff080/analysis/; classtype:trojan-activity; sid:31713; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ragua variant outbound connection"; flow:to_server,established; urilen:>20; content:"/WebCam/Cam.txt"; fast_pattern:only; http_uri; content:"/WebCam//Cam.txt"; nocase; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,securelist.com/blog/research/66108/el-machete/; reference:url,www.virustotal.com/en/file/8a510076a2ce8c3958fd953dce986185df0a255a23d736ae12b0a89a412ff080/analysis/; classtype:trojan-activity; sid:31712; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Korgapam outbound connection"; flow:to_server,established; dsize:9; content:"Password|3A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ed855200be3f4068841654085718f43b1bf94dedb1c791b1d6aa5ebf1b957126/analysis/; classtype:trojan-activity; sid:31706; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Korplug Poisoned Hurricane Malware outbound connection"; flow:to_server,established; urilen:25; content:"|3A 20|0|0D 0A|"; content:"|3A 20|0|0D 0A|"; within:20; distance:1; content:"|3A 20|61456|0D 0A|"; within:20; distance:1; fast_pattern; content:"|3A 20|1|0D 0A|"; within:20; distance:1; content:"Content-Length|3A 20|0|0D 0A|"; distance:0; pcre:"/\/[0-9A-F]{24}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0c74e954440c86202e972b9ab94071d4b9fa8dd45c502e4e683a2d0b3a78717e/analysis/; classtype:trojan-activity; sid:31693; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kronos variant outbound connection"; flow:to_server,established; content:"/upfornow/connect.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept: "; http_header; content:"|0D 0A 0D 0A|"; distance:0; isdataat:!74,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9806d1b664c73712bc029e880543dfa013fdd128dd33682c2cfe5ad24de075b9/analysis/; classtype:trojan-activity; sid:31691; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Critroni outbound connection"; flow:to_server,established; dsize:174; urilen:1; content:"/"; http_uri; content:"Host|3A| ip.telize.com|0D 0A|Accept|3A| */*|0D 0A|User-Agent|3A| Mozilla/5.0 |28|Windows NT 6.1|3B| WOW64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/31.0.1650.63 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b3c92d7a9dead6011f3c99829c745c384dd776d88f57bbd60bc4f9d66641819b/analysis/; classtype:trojan-activity; sid:31718; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Waski variant outbound connection"; flow:to_server,established; content:".zip"; nocase; http_uri; content:"User-Agent: Opera10"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c78000c8ff5b58ebb877fb5140f26679db7d73107cd3fc176d90d28a4b5b8921/analysis/; classtype:trojan-activity; sid:31722; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Miras variant outbound connection"; flow:to_server,established; content:"|63 D7 36 36|"; depth:4; content:"|36 36 42 53 45 42 7F 72 36 36|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/B908FA279D95D0CD15BFD762DB4BEF95BA63A32F4ACED9BA6AA0C0D1A433AB5C/analysis/; classtype:trojan-activity; sid:31755; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Elpapok outbound connection"; flow:to_server,established; dsize:4; content:"|BE FD 6F 70|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e45d77f0ac831c59077b7a2616e5c1e10772c92e6ed8b7874337468302eed9d/analysis/; classtype:trojan-activity; sid:31753; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qulkonwi outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|http|3A 2F 2F|"; fast_pattern:only; http_header; content:"/rename/00006/c.php|3F|tip=|5B|"; depth:25; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3339d8961e6b7c87a1be3abce85affbe6cd1fcabd0d06e00cfaa8fdb141bd114/analysis/; classtype:trojan-activity; sid:31748; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Eratoma outbound connection"; flow:to_server,established; content:"Subject|3A 20|Hello|3A 20|"; fast_pattern:only; content:"|0D 0A|PC|3A 20|"; content:"|0D 0A|Text|3A 20|Install|0D 0A|IP|3A 20|"; within:36; content:"|0D 0A|CD|3A 20|"; within:21; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/054e989864df7e6445d1b3785aff25488e9ac1097cf86792f308f8529c1b85f5/analysis/; classtype:trojan-activity; sid:31744; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length:"; depth:15; http_header; content:"Host:"; distance:0; http_header; content:!"User-Agent"; http_header; content:!"Content-Type:"; http_header; content:!"Connection:"; http_header; urilen:>45; pcre:"/\/[a-z0-9\x2f]{45}/Ui"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/378e0f166e399537e9e4c2ca882205b4a5872a5d524b6adfc75d6cd0c2c9a687/analysis/; classtype:trojan-activity; sid:31772; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ecsudown outbound connection"; flow:to_server,established; content:"m=IgA9ADgAEwB"; fast_pattern:only; http_client_body; content:"/ie.asp"; http_uri; content:"AA=="; http_client_body; isdataat:!1,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2308097be047590f2f61f6781c1ae254d6880929eaaa426db61d061d5f0aa563/analysis/; classtype:trojan-activity; sid:31768; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.IptabLex outbound connection"; flow:to_server,established; content:"|77 01 00 E9 03 E9 03 00 00 00 00 00 00 03 00 00 00 0D|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/4baf340e3701b640ad36fb8f606e2aa7f494dd34dc3315c0943f3325c7766f80/analysis/; classtype:trojan-activity; sid:31808; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [587,2525] (msg:"MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt"; flow:to_server,established; content:"Subject|3A| Limitless Logger |3A 20 3A| Execution Confirmation"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/0589867003D1F0382AB28DC0BA28E22AB89C6F8CB19834B4E68B41785189C76E/analysis/; classtype:trojan-activity; sid:31807; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [587,2525] (msg:"MALWARE-CNC Win.Trojan.Nighthunter data exfiltration attempt"; flow:to_server,established; content:"Subject|3A| Predator Pain "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/0589867003D1F0382AB28DC0BA28E22AB89C6F8CB19834B4E68B41785189C76E/analysis/; classtype:trojan-activity; sid:31806; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE-CNC Win.Trojan.Dizk variant outbound connection"; flow:to_server,established; dsize:80; content:"|38 CE 64 01 BA 7F 62 03 42 DD 66 05 F4 DB C3 03 07 F8 DB 00 13 F1 0E 02 6D E7 4C 01|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html; reference:url,www.infosecisland.com/blogview/23567-Vietnamese-Malware-Gets-Very-Personal.html; reference:url,www.virustotal.com/en/file/cb4c23e3c9b8d1555b4d072b39153f60f07b17bc6f076539f9ea7162b641d211/analysis/; classtype:trojan-activity; sid:31805; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Retgate variant outbound connection"; flow:to_server, established; content:"name=Reserved&host"; fast_pattern; http_client_body; content:"|0D|&browser"; distance:0; http_client_body; content:"/gate.php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e68bf502b50112c88621e89c65a4a1d95b17d1862803c87f4b4a93191cc03880/analysis/; classtype:trojan-activity; sid:31837; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Seribe variant outbound connection"; flow:to_server, established; content:"Beriiesh/getjob.php?mac="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/440cc1a5aaa2e68063dda579ec88088414b7ef110cc647f8dfb3c1aff7f2fcf4/analysis/; classtype:trojan-activity; sid:31836; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yesudac variant outbound connection"; flow:to_server, established; content:"/st.imga"; http_uri; content:"User-Agent: EXE"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2698ec8a8ad139664737f43daa5188347e9cb40fb1dc4bd2a893cd40c68ff08d/analysis/; classtype:trojan-activity; sid:31835; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Delorado variant outbound connection"; flow:to_server, established; content:"/news1/knock.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8f7b4c6d2b82235e71335f34cd84801bbbeeaf2de91031cae1362408b23fa239/analysis/; classtype:trojan-activity; sid:31834; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chkbot outbound connection"; flow:to_server,established; content:"|3A|80|0D 0A|Connection: close|0D 0A|User-Agent|3A 20|"; fast_pattern:only; http_header; content:"i="; http_client_body; content:"&d="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/58f301053a2f3492bd08e13d101ebaf51ea545e108729140ecf2db4d2646697c/analysis/; classtype:trojan-activity; sid:31833; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pfinet outbound connection"; flow:to_server,established; content:"?lang=en&section="; fast_pattern:only; http_uri; content:"&action="; depth:100; offset:50; http_uri; content:"|3A|8&site="; within:50; distance:3; http_uri; content:".com"; within:30; distance:7; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2007aa72dfe0c6c93beb44f737b85b6cd487175e7abc6b717dae9344bed46c6c/analysis/; classtype:trojan-activity; sid:31832; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"MALWARE-CNC Win.Trojan.Jabberbot variant outbound connection"; flow:to_server,established; content:"AHRyZWRuZXQAdHJlZGJvdG5ldA=="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/2d8c7a675fafdd06d81b4c243fb0888faab7b031bb9f3654f41088556bfb4c92/analysis/; classtype:trojan-activity; sid:31828; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: "; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer:"; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delf variant HTTP Response"; flow:to_client,established; content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4; distance:168; pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"dados="; depth:6; http_client_body; content:"&ct="; distance:0; http_client_body; content:"/"; within:1; distance:2; http_client_body; content:"/201"; within:4; distance:2; http_client_body; content:"="; within:1; distance:1; http_client_body; content:"&windows="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Banker.Delf variant outbound connection"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri; content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D 0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Darkcomet outbound keepalive signal sent"; flow:to_server,established,no_stream; dsize:22; byte_test:1,>=,0x30,21; byte_test:1,<=,0x46,21; pcre:"/^[0-9A-F]{22}$/"; detection_filter:track by_src, count 5, seconds 120; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/ada8229ce99b8386e89eb94ecab678ae79c8638b3eaf3532b847cff2b201c232/analysis/; classtype:trojan-activity; sid:31814; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro outbound connection"; flow:to_server,established; dsize:<200; content:"POST"; http_method; content:"User-Agent|3A| Mozilla/"; http_header; content:"ompatible|3B| MSIE 31|3B| "; within:20; distance:6; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c716890a2a76785d53e8f9a5db2268501a30df807df4c4323967672efe452c/analysis/; classtype:trojan-activity; sid:31813; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/dnotify.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.0|3B| SLCC1|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e762a58de912c2f9766924d89aefd2c33ec660ef2e53b4e0a94bd3ad1f1134ad/analysis/; classtype:trojan-activity; sid:31904; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter variant outbound connection"; flow:to_server,established; content:"/getway.php"; fast_pattern:only; http_uri; content:"page="; depth:5; nocase; http_client_body; content:"&unm="; within:53; nocase; http_client_body; content:"&cnm="; within:25; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html; reference:url,www.virustotal.com/file/CAE3CDAAA1EC224843E1C3EFB78505B2E0781D70502BEDFF5715DC0E9B561785/analysis/; reference:url,www.xylibox.com/2013/08/point-of-sale-malware-infostealerdexter.html; classtype:trojan-activity; sid:31897; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Magnetor vairant outbound connection"; flow:to_server, established; urilen:37; content:"ID="; depth:3; http_cookie; content:!"User-Agent"; http_header; content:"Connection: keep-alive|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip|0D 0A 0D 0A|"; distance:0; http_header; pcre:"/\r\nCookie|3A\ID=[a-f0-9]{12}/H"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3b2ecd538b8ac3260528f391eeec129aaaa17ee92dafaa6b466d9c4baa5232a4/analysis/; classtype:trojan-activity; sid:31896; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Toupi variant outbound connection"; flow:to_server,established; content:"/test.php"; http_uri; content:!"Content-Type"; http_header; content:"1:[System Process],System,smss.exe,"; depth:35; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7753c08b3c13dccd91275641db3d5084c59e4b8c4b0e40021069dc0f2c6145f6/analysis/; classtype:trojan-activity; sid:31895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Threebyte variant outbound connection"; flow:to_server,established; urilen:>80; content:"/UID"; nocase; http_uri; content:".jsp?"; within:5; distance:4; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/63615ce2294ea65a061bdb51ab0771c12efcf4e77770f03a2826d57354f843ff/analysis/; classtype:trojan-activity; sid:31885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Waterspout outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E|29 0D 0A|"; fast_pattern:only; content:".php?"; depth:5; offset:20; content:"_id="; within:4; distance:3; pcre:"/^GET \/\w+\/\d{5}\/[a-z]{4}\.php\?[a-z]{3}\x5Fid=[A-Za-z0-9+\/]{43}= HTTP\//"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/04bc77063782fe632de911cd25dd8727bc597d0cc7ddfe9127d5a8ecb66e7bad/analysis/; classtype:trojan-activity; sid:31883; rev:3;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.Jynxkit outbound connection"; flow:to_client,established; dsize:18; content:"Bump with shell.|0A 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0814612658b0a485c7b1fb2bde07514e4692256765fcd4567807e5e25db47cdf/analysis/; classtype:trojan-activity; sid:31925; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?method="; http_uri; content:"&mode=sox&v="; fast_pattern:only; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established; file_data; content:"%set_intercepts%"; fast_pattern:only; content:"%ban_contact%"; content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/trdpr/trde.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC WIN.Trojan.Ziyazo variant outbound connection"; flow:to_server,established; content:"|2A AE 2B DC|"; depth:4; fast_pattern; byte_extract:4,0,data_length,relative,little; content:"|38 08 88|"; within:3; distance:4; isdataat:data_length,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/f6e1f835b4087765aba6cc921f8d8a20bf8969f85e1859d2c770fab31139ae42/analysis/; classtype:trojan-activity; sid:31915; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maozhi variant outbound connection"; flow:to_server,established; content:"/c/c.asp?f="; depth:11; http_uri; content:"&c="; within:3; distance:8; http_uri; content:"MB-a----"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e0c6fafd8980a9055c65fc5defbc34fcf3ac4912dd5d88cdc438a3c8831f3c0d/analysis/; classtype:trojan-activity; sid:31913; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.MSIL.Gareme variant outbound connection"; flow:to_server, established; content:"Operating System Intel Recovery"; fast_pattern:only; content:"CPU Name"; content:"Jdownloader Password Recovery"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,www.virustotal.com/en/file/c9186bb347ff40e424673600d31ffefa4d10fa41f47c00e2351f539e47c1cf00/analysis/; classtype:trojan-activity; sid:31911; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Basostab variant outbound connection"; flow:to_server,established; content:"insdb.php?table="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 |28|compatible|3B| Synapse|29|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9ad844876594d86aa03c450f791ff3807ab848d511c1f9ee965a7d4074bd4ff5/analysis/; classtype:trojan-activity; sid:31909; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Honerep variant outbound connection"; flow:to_server, established; content:"User-Agent: http_requester/0.1"; fast_pattern:only; http_header; content:"/index.php"; http_uri; content:"version="; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8c54844a7081bed106a115cca0604324cfded115d87a2bd82e085c4087e889bf/analysis/; classtype:trojan-activity; sid:31907; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2010 (msg:"MALWARE-CNC Win.Trojan.Zegorg variant outbound connection"; flow:to_server, established; content:"|00 00 A8 01 00 00 78 9C|"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/7dea3b6a62c6156ba343cfdfe85637b9ec240eb650103f1dec0b6e77bb1adde3/analysis/; classtype:trojan-activity; sid:31974; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chebri variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0="; depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|"; http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/notify.php"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.MSIL.Torct variant outbound connection"; flow:to_server, established; content:"/SlaveOnline.php"; fast_pattern:only; http_uri; content:"Host: www.anonsec.bl.ee"; http_header; content:"online=True"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fe2c412c65956d4f0756a8cd24ca71f917918a584776cc3d87660aadc618d037/analysis/; classtype:trojan-activity; sid:31957; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ezbro variant outbound connection"; flow:to_server,established; urilen:>190; content:"/feed.dll?pub_id="; fast_pattern:only; http_uri; content:"&ua="; nocase; http_uri; content:!"User-Agent|3A|"; http_header; pcre:"/\/feed\.dll\?pub_id=\d+?\&ua=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/44da825df86530b3dc72649e935bc6f603543ab5efe064797805ab8a2b5fbf92/analysis/; classtype:trojan-activity; sid:31955; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ezbro variant outbound connection"; flow:to_server,established; urilen:57; content:"/click?sid="; fast_pattern:only; http_uri; content:"&cid="; nocase; http_uri; pcre:"/\/click\?sid=\w{40}\&cid=/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/44da825df86530b3dc72649e935bc6f603543ab5efe064797805ab8a2b5fbf92/analysis/; classtype:trojan-activity; sid:31954; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tavdig outbound connection"; flow:to_server,established; content:"Cookie|3A| catid="; fast_pattern:only; content:"|3B| task="; http_cookie; content:"|3B| forumid="; within:100; http_cookie; content:"|3B| Itemid="; within:50; http_cookie; content:"|3B| link="; within:50; http_cookie; content:"|3B| layout="; within:50; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/3b8bd0a0c6069f2d27d759340721b78fd289f92e0a13965262fea4e8907af122/analysis/; classtype:trojan-activity; sid:31944; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Pedrp variant outbound connection"; flow:to_server, established; content:"/td/index.dat?"; fast_pattern:only; http_uri; content:"User-Agent: myAgent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/61d6264130dab2b7db43f0fce461a802008a179b126ec86501ba0721a09cb8f1/analysis/; classtype:trojan-activity; sid:31941; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kanav variant outbound connection"; flow:to_server,established; content:"/icons/ddk.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c27048cffafadac1630876c76684d7895ea3662e4a28ea1ba53a126bc0ea8d51/analysis/; classtype:trojan-activity; sid:31930; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kanav variant outbound connection"; flow:to_server,established; content:"/counter/update1.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c27048cffafadac1630876c76684d7895ea3662e4a28ea1ba53a126bc0ea8d51/analysis/; classtype:trojan-activity; sid:31929; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Becontr variant outbound connection"; flow:to_server, established; content:"/raw.php?i=GnAMvdDh"; fast_pattern; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7b0b0b0a8553e1a350d4911f6df6b6bd4ab74fd90c38f1d114fb657f053dcf84/analysis/; classtype:trojan-activity; sid:31928; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Worm.Zorenium variant outbound connection"; flow:to_server, established; content:"Computer.exe"; content:"here is your requested facebook chat beta invite"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/0e203e6ae0609c554747557da0a5be6f709b9d26b25660e9321e6c0f39574f38/analysis/; classtype:trojan-activity; sid:32002; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; dsize:10; content:"BUILD X86|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound telnet connection attempt"; flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|5C|141|5C|171|5C|146|5C|147|5C|164|27 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service telnet; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32010; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command"; flow:to_client,established; dsize:<15; content:"|21 2A 20|SCANNER ON"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Ganiw variant outbound connection"; flow:to_server, established; content:"|F4 01 00 00 32 00 00 00 E8 03|"; depth:10; offset:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/70afb98a09ca604f65f78a10ef72d2d05d17721f301c15b47a3e2437eefe1ed9/analysis/; classtype:trojan-activity; sid:32040; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload.awt variant outbound connection"; flow:to_server, established; content:"/Register.asp?IDPC="; fast_pattern; http_uri; content:"&SO="; within:4; distance:14; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c37239af97109b93a7e3d2a3ece6bc14df44e702db52f564843ca5541558c72/analysis/; classtype:trojan-activity; sid:32037; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Somoca vaniant outbound connection"; flow:to_server, established; content:"/ujakj/ek.php"; fast_pattern:only; http_uri; content:"cs=aW5zZXJ0"; depth:11; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/70b387a63a7ee51c0f2c7d32651b7adc910398ff64da5d958d26626c07375eee/analysis/; classtype:trojan-activity; sid:32036; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boleteiro variant outbound connection"; flow:to_server, established; content:"/html/4760..asp?"; fast_pattern:only; http_uri; content:"Vencimento="; http_uri; content:"&Sacado="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b03eeb286f91c6b7b5a4cd2f322081821fdf6aeff6f28b03270a84165bb86d42/analysis/; classtype:trojan-activity; sid:32035; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Larefervt variant outbound connection"; flow:to_server, established; content:"Referal:vt_2"; fast_pattern:only; http_client_body; content:"/joe.php"; http_uri; content:"-------------------------------------------|0A|Detect VM:"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d41534b6d2213436a23061188a1485ae0a61121cd6d1117de7b8d5e2da14bbea/analysis/; classtype:trojan-activity; sid:32034; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Larosden variant outbound connection"; flow:to_server,established; content:"&knock=eyJib3RpbmZvIjp7InVwbG9hZElk"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/910a04313949a4398bb3f352af54e566a7cfd7f0df610a1697c4b4f158113cdd/analysis/; classtype:trojan-activity; sid:32033; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Decibal variant outbound connection"; flow:to_server,established; content:"/FISIER.php?"; fast_pattern:only; http_uri; content:"co="; http_uri; content:"us="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f579187ef0879ea8a999bd39720d9e08b53fc783cf3d168ba21304cb3144e806/analysis/; classtype:trojan-activity; sid:32031; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Klabcon variant outbound connection"; flow:to_server, established; content:"|00 00 64 1C 01 00 00|"; depth:7; offset:8; fast_pattern; content:"|4D 53 4E 44 54 53|"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da07ac67d3622bef4bd371f73805ae55344d12ae89d55c985e2d88b2951f4114/analysis/; classtype:trojan-activity; sid:32028; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinpid variant outbound connection"; flow:to_server, established; content:"action=nG0WVXSWGa9rGSmt"; fast_pattern:only; http_client_body; content:"/common.asp"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/19447e39bc05b67576a963e35e5a50a4461f4b44363c5a5589047257f5e9b9b8/analysis/; classtype:trojan-activity; sid:32023; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Krompt variant outbound connection"; flow:to_server, established; content:"USER AS_ # # :"; fast_pattern:only; content:"JOIN :#"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/e72c0330360e4dcffb0771ca167274279cbadc7742b2dc70ffcbfc471ef62bf6/analysis/; classtype:trojan-activity; sid:32020; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8010 (msg:"MALWARE-CNC Win.Backdoor.Hupigon.NYK variant outbound connection"; flow:to_server, established; content:"|A1 01 00 00|"; fast_pattern:only; dsize:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/f0c4a721889ec37db3abae98e1e63e0d95c088ff9ee8a27b8ba9004f78aca0a6/analysis/; classtype:trojan-activity; sid:32018; rev:2;)
alert tcp $HOME_NET any -> any [139,445] (msg:"MALWARE-CNC Win.Trojan.Memlog SMB file transfer"; flow:to_server,established; content:"|FF|SMB|2F 00 00|"; fast_pattern:only; content:"k"; depth:64; offset:32; content:"k"; within:4; distance:1; content:"k"; within:4; distance:1; content:"f"; within:4; distance:1; content:"A"; within:1; distance:16; pcre:"/([etDZhns8dz]{1,3}k){3}[etDZhns8dz]{1,3}f[etDZhns8dz]{16}A/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929/analysis/; classtype:trojan-activity; sid:32017; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Menteni variant outbound connection"; flow:to_server, established; content:"/bot/post.php"; fast_pattern:only; http_uri; content:"user="; depth:5; http_client_body; content:"&cle="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1e5ef3149ea6cc3174120659c952f8ef521db29d09672e1341c7c4ba3e7a8b89/analysis/; classtype:trojan-activity; sid:32016; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Zeus variant outbound connection"; flow:to_server, established; content:"/.DAV/mode.jpg"; fast_pattern:only; http_uri; content:"Accept: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cd955682925942ef964100641271d8ef974498a1ba6a3879ac0e8c9182d3270/analysis/; classtype:trojan-activity; sid:32015; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Worm.Darlloz variant outbound connection"; flow:to_server, established; content:"/project/cpuminer/pooler-cpuminer"; fast_pattern:only; http_uri; content:"User-Agent: Wget"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dfa42a3c29a66422d0bc7b012affd9f253a4589fca1881bed6297e50a631e8bb/analysis/; classtype:trojan-activity; sid:32013; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Bipamid variant outbound connection"; flow:to_server, established; content:"/eng/test/jp"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (Compatible|3B| MSIE 6.0|3B|)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7b0b0b0a8553e1a350d4911f6df6b6bd4ab74fd90c38f1d114fb657f053dcf84/analysis/; classtype:trojan-activity; sid:32012; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:46<>51; content:"/x/"; depth:3; fast_pattern; http_uri; content:"UA-CPU: "; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; pcre:"/\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32067; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:20<>23; content:"/b/pkg/T202"; depth:11; fast_pattern; http_uri; content:"UA-CPU: "; http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; pcre:"/\x2fb\x2fpkg\x2fT202[0-9a-z]{10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32066; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Asprox inbound connection"; flow:to_client,established; content:"Content-Length: 30"; http_header; file_data; content:"|3C|html|3E 3C|body|3E|hi!|3C 2F|body|3E 3C 2F|html|3E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan-Downloader.Nekill variant outbound connection"; flow:to_server, established; content:"/?&uid="; depth:7; fast_pattern; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/42a6a5d3feac4f14e423345fa41bff31234583cab70a3bf7782855249d298065/analysis/; classtype:trojan-activity; sid:32061; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Masatekar variant outbound connection"; flow:to_server, established; content:"ABCDE|ED 00 00 00 E0 00 00 00 66 00 00 00 9C 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/7398c88bff1883466c0cdc7fa668753158ac018a307735f94e93342b3116d8c6/analysis/; classtype:trojan-activity; sid:32058; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Xsser mRAT file upload"; flow:to_server,established; content:"/TargetUploadFile.aspx?tmac="; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:32054; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Xsser mRAT GPS data upload"; flow:to_server,established; content:"/TargetUploadGps.aspx?&tmac="; fast_pattern:only; http_uri; content:"&JZ"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:32053; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Larosden variant outbound connection"; flow:to_server, established; content:"/includes/pcl/tmp"; fast_pattern:only; http_uri; content:"hwid="; depth:5; http_client_body; content:"&knock=eyJib3RpbmZvIjp"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/910a04313949a4398bb3f352af54e566a7cfd7f0df610a1697c4b4f158113cdd/analysis/; classtype:trojan-activity; sid:32050; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lecpetex variant outbound connection"; flow:to_server, established; content:"&target="; fast_pattern:only; http_uri; content:"/index.php?"; http_uri; content:"?product_id="; http_uri; content:"&dispatch="; within:34; http_uri; content:"DNT: 1"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c5ded8a8134cc350142029e7c2f71d5b9389215e058a7806fd535fdca9fdd96d/analysis/; classtype:trojan-activity; sid:32048; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Puver variant outbound connection"; flow:to_server, established; content:"/true/?mzjN"; fast_pattern:only; http_uri; content:"znKpL"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cc79978d11c2cb21541ba8ddf573450ed6ddf4ddc136330070433ab399406dbd/analysis/; classtype:trojan-activity; sid:32096; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server, established; content:"/note_mode.php"; fast_pattern:only; http_uri; content:"Content-Disposition: form-data|3B| name=|22|kirq|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f9260dcf96dd4088bbbcdba698d32bf66a14204520a46ed540e101a27400cb54/analysis/; classtype:trojan-activity; sid:32093; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Backdoor.PcertStealer variant outbound connection"; flow:to_server, established; content:"Accept-Language: hs-uk"; fast_pattern:only; content:"Accept-Encoding:gzip ,deflate"; content:"Accept:*/*"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d8facc69a8166f3bbfddd4a26ba41ad25c183ab181920c92d705dd1c4e237bdb/analysis/; classtype:trojan-activity; sid:32091; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Saaglup variant outbound connection"; flow:to_server, established; content:"|11 11 11 11 00 00 00 00|"; depth:8; http_client_body; content:"|01 00 00 00|"; within:4; distance:2; http_client_body; content:"|78 9C|"; within:2; distance:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9cd10d41844bba73ef3c32f7652b676c4e743c8725f2ee077adde901cedf1c4c/analysis/; classtype:trojan-activity; sid:32090; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Corkow variant outbound connection"; flow:to_server,established; content:"/runk/c.php"; fast_pattern:only; http_uri; content:"Content-Type: multipart/form-data|3B| boundary=------"; http_header; content:"--------"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2585633afd4a5408f724a8dc33e1995cba3ef5730f1ebffe31f2e551bfc1ee3e/analysis/; classtype:trojan-activity; sid:32086; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Small variant outbound connection"; flow:to_server, established; content:"User-Agent: Update"; fast_pattern:only; http_header; content:"a=1&b="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e3a2be6b38e96a8b3b1a2b0f7407b81852b143693866fb0e8f5c3b6fb93814f8/analysis/; classtype:trojan-activity; sid:32075; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot payload download attempt"; flow:to_server,established; content:"/mod_articles-auth-"; depth:19; fast_pattern; http_uri; content:"/jquery/"; within:8; distance:7; http_uri; content:"Accept: */*|0D 0A|Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32074; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot outbound connection"; flow:to_server,established; content:"/b/shoe/"; fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\x2fb\x2fshoe\x2f[0-9]{3,5}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32073; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot configuration download attempt"; flow:to_server,established; content:"/mod_"; http_uri; content:"/soft"; http_uri; content:".dll"; fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\x2fsoft(64|32)\x2edll$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Zapchast variant outbound connection"; flow:to_server, established; content:"/mpdf51/mpdfi/filters/filters/"; fast_pattern:only; http_uri; content:"User-Agent: POSTHttp"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1f384f12f7361d69cf15f4d2ab5a55bd2efe4b533bf7adb833bad5503f028433/analysis/; classtype:trojan-activity; sid:32071; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalgan variant outbound connection"; flow:to_server, established; content:"MUID="; fast_pattern:only; content:"MCI="; depth:4; http_cookie; content:"MUID="; within:18; distance:16; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/07db7603d2d27a08553d2864cf2bef3c9515635e0f8692514f42c1a0debe8eb4/analysis/; classtype:trojan-activity; sid:32070; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/beta/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downloader variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"h="; depth:2; http_client_body; content:"&w="; distance:0; http_client_body; content:"&ua="; distance:0; fast_pattern; http_client_body; pcre:"/^h=\d+&w=\d+&ua=/Psi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7fe5f4acf1b6170cf7b836e55ad22d38aa9eae10c3ce85524b2a3254d145597d/analysis/; classtype:trojan-activity; sid:32129; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Lizarbot outbound connection"; flow:to_server,established; content:"USER "; content:"_"; within:2; distance:3; content:"x"; within:2; distance:2; content:"_"; within:1; distance:2; content:" 0 * :"; within:20; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/294f637d99b530ddd55695287d944ef2335d52232cc364d2ff1bb837e48fd780/analysis/; classtype:trojan-activity; sid:32126; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"/testing/"; http_uri; urilen:9; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8F093B5704867E18BB7DDBACBA7C1C6F2341FA451EB5D110C9034BC364C44997/analysis/; classtype:trojan-activity; sid:32123; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Kryptik variant outbound connection"; flow:to_server,established; content:"|16 00 00 00 42 42 43 42 43 01 00 00 00 78 9C 4B 05 00 00 66 00 66|"; fast_pattern:only; dsize:22; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c1a4d53bbfeb9eabaac01f1dc32b58a744b9c8865ba06e2721e6ec7824d1ee2/analysis/; classtype:trojan-activity; sid:32121; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt"; flow:to_server,established; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt"; flow:to_client,established; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] (msg:"MALWARE-CNC WIN.Trojan.Plugx variant outbound connection"; flow:to_server,established; content:"HHV1:"; content:"HHV2:"; within:20; content:"HHV3: 61456"; within:20; fast_pattern; content:"HHV4:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns, service http, service ssl; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32179; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.iWorm variant outbound connection"; flow:to_server,established; content:"User-Agent: ocspd (unknown version) CFNetwork/520.5.1 Darwin/11.4.2 (i386) (VMware7%2C1)"; http_header; content:"|30 56 30 54 A0 03 02 01 00 30 4D 30 4B 30 49 30|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1fb2ffb9f958bf5561d726abae9a715674e73aa3b26bd544151b59dc140e53f9/analysis/; classtype:trojan-activity; sid:32175; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [137,139,445] (msg:"MALWARE-CNC Win.Trojan.BlackPOS stolen data transfer to internal staging area"; flow:to_server,established; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|t|00|e|00|m|00|p|00 5C 00|d|00|o|00|t|00|n|00|e|00|t|00 5C 00|N|00|D|00|P|00|4|00|5|00|-|00|K|00|B|00|2|00|7|00|3|00|7|00|0|00|8|00|4|00|-|00|x|00|8|00|6|00 2E 00|e|00|x|00|e|00|"; distance:0; nocase; metadata:impact_flag red, service netbios-ssn; reference:url,www.virustotal.com/en/file/b579c8866f7850110a8d2c7cc10110fa82f86a8395b93562f36e9f500a226929/analysis/; classtype:trojan-activity; sid:32172; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zxshell variant outbound connection"; flow:to_server,established; content:"|20|OS|3A 20|"; content:"|20|CPU|3A|"; distance:0; content:"Hz,RAM|3A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a9338ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity; sid:32192; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackEnergy2 outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"id=x"; depth:4; fast_pattern; http_client_body; content:"_"; within:64; http_client_body; content:"&bid="; within:17; http_client_body; content:"&dv="; distance:0; http_client_body; content:"&mv="; distance:0; http_client_body; content:"&dpv="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444/analysis/; classtype:trojan-activity; sid:32189; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackEnergy3 outbound connection"; flow:to_server,established; content:"/aG91c2VhdHJlaWRlczk0/dirconf/check.php"; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:"&bid="; within:5; distance:40; http_client_body; content:"&nm="; distance:0; http_client_body; content:"&cn="; distance:0; http_client_body; content:"&num="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444/analysis/; classtype:trojan-activity; sid:32188; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Soaphrish variant outbound connection"; flow:to_server,established; content:"Service1.asmx"; fast_pattern:only; http_uri; content:"GetCommand"; nocase; http_header; content:"Expect:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5ecd08c9a6a9aca74e7c783fc898a68f8ad63742befa31966960652d3f4a9327/analysis/; classtype:trojan-activity; sid:32202; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.Mujormel outbound connection"; flow:to_server,established; content:"|0D 0A|Subject: "; content:" O N L I N E"; within:20; distance:1; fast_pattern; content:"|0D 0A|IP_CLIENTE.: "; distance:0; content:"|0D 0A|CLIENTE....: "; within:30; distance:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/81e503eee9ad431c0e24d87df6e47677954b31a6d6cccd0219f2d5d1236cc4f5/analysis/; classtype:trojan-activity; sid:32198; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zerolocker variant outbound connection"; flow:to_server,established; urilen:>40; content:"/zImprimer/"; depth:11; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e292cbe7ddbc036009d7ef0deaab49d12005c9267e12a338bbba7782925ef1a6/analysis/; classtype:trojan-activity; sid:32197; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|PLUG|22 0D 0A|"; fast_pattern:only; http_client_body; content:"form-data|3B| name=|22|PC|22 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|SEG|22 0D 0A|"; distance:0; http_client_body; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Palebot variant outbound connection"; flow:to_server, established; content:"/barokh/index.php/customer"; fast_pattern:only; http_uri; content:"User-Agent: Internet Explorer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3f0bb02dfb2ed04d717dcf431a7c889e054ac8635940c891d50144c90fb6bbe0/analysis/; classtype:trojan-activity; sid:32195; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dubrute variant outbound connection"; flow:to_server,established; urilen:<12; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; content:"NewPleaseGetMySource$$="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2433004e56cf6263d323dd73f0e1d31a7c5515325b664db27208df87c77282b7/analysis/; classtype:trojan-activity; sid:32194; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dubrute variant outbound connection"; flow:to_server,established; urilen:<12; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; content:"NewSetRdpAliveState$$="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2433004e56cf6263d323dd73f0e1d31a7c5515325b664db27208df87c77282b7/analysis/; classtype:trojan-activity; sid:32193; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.MSIL.Liroospu variant outbound connection"; flow:to_server, established; content:"/remote/server.php?"; fast_pattern:only; http_uri; content:"&host="; http_uri; content:"&user="; distance:0; http_uri; content:"&date="; distance:0; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/196939c1bc1e2c642183cfc2f426697fe37f271f465cfc84ff1c244c5bcec506/analysis/; classtype:trojan-activity; sid:32222; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Kazy download detected"; flow:to_server,established; file_data; content:"get_k|00|get_l0|00|get_l1|00|get_l2|00|get_l3|00|get_l4|00|get_l5|00|get_l6|00|get_l7|00|get_l8|00|get_l9|00|get_l10|00|get_l11|00|get_l12|00|get_l13|00|get_l14|00|get_l15|00|get_l16|00|get_l17|00|get_l18|00|get_l19|00|get_l20|00|get_l21|00|get_l22|00|get_l23|00|get_l24"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/9d4f4224eb1fda4a90c775e59730e0e404d5a0f82d4e48f240e1337dbcb0bb05/analysis/; classtype:trojan-activity; sid:32221; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kazy download detected"; flow:to_client,established; file_data; content:"get_k|00|get_l0|00|get_l1|00|get_l2|00|get_l3|00|get_l4|00|get_l5|00|get_l6|00|get_l7|00|get_l8|00|get_l9|00|get_l10|00|get_l11|00|get_l12|00|get_l13|00|get_l14|00|get_l15|00|get_l16|00|get_l17|00|get_l18|00|get_l19|00|get_l20|00|get_l21|00|get_l22|00|get_l23|00|get_l24"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/9d4f4224eb1fda4a90c775e59730e0e404d5a0f82d4e48f240e1337dbcb0bb05/analysis/; classtype:trojan-activity; sid:32220; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackEnergy INF file download attempt"; flow:to_client,established; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern:only; content:"HKLM,Software|5C|Microsoft|5C|Windows|5C|CurrentVersion|5C|RunOnce,Install"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/71264a32c22e2778a1942bb8c7b0ee08a73ffdfab6b7cc890bc4598c1ee9bdf5/analysis/; classtype:trojan-activity; sid:32259; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established; content:"/info.xml"; http_uri; content:"Host:"; http_header; content:"update-adobe.com"; within:30; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32250; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WIN.Trojan.Clemint variant outbound connection"; flow:to_server,established; content:"/?name1=<tr><td>"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c331ddf1104c7a7f556c97d0aeb87ab1ab174a3e13d87a7b866651e8a226e57f/analysis/; classtype:trojan-activity; sid:32243; rev:1;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC FrameworkPOS data exfiltration through DNS - beacon message"; flow:to_server; content:"|06|beacon"; content:"dc"; within:6; distance:3; nocase; content:"dc"; within:6; distance:2; nocase; content:"dc"; within:6; distance:2; nocase; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:trojan-activity; sid:32312; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rehtesyk outbound connection"; flow:to_server,established; content:"User-Agent: Firefox|0D 0A|"; fast_pattern:only; content:"first="; depth:6; http_client_body; content:"&data="; within:7; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b1347df8f8940039cb68bd4e2568e8c68b1f1a0067ac9a0fb1a5f1aef2df61ea/analysis/; classtype:trojan-activity; sid:32311; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Farfli variant outbound connection"; flow:to_server,established; content:"FWKJG"; depth:5; fast_pattern; content:"|78 01 00 00|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/184c083e839451c2ab0de7a89aa801dc0458e2bd1fe79e60f35c26d92a0dbf6a/analysis/; classtype:trojan-activity; sid:32310; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Acanas variant outbound connection"; flow:to_server,established; content:"fernando/RMT/Portal.php?nombre="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4a2019286de4a6bed9e4775e753ca7f52ae6dd31da1779d87fd89da701475b88/analysis/; classtype:trojan-activity; sid:32293; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Cryptolocker download detected"; flow:to_server,established; file_data; content:"|00|R|00|e|00|a|00|d|00|E|00|x|00|c|00|e|00|l|00|.|00|E|00|X|00|E|00 00|"; fast_pattern:only; content:"A|00|n|00|w|00|e|00|n|00|d|00|u|00|n|00|g|00 20 00|R|00|e|00|a|00|d|00|E|00|x|00|c|00|e|00|l|00 00|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/; classtype:trojan-activity; sid:32292; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Cryptolocker download detected"; flow:to_server,established; file_data; content:"c|00|:|00 5C 00|M|00|Y|00|a|00|p|00|P|00|.|00|e|00|X|00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/; classtype:trojan-activity; sid:32291; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptolocker download detected"; flow:to_client,established; file_data; content:"|00|R|00|e|00|a|00|d|00|E|00|x|00|c|00|e|00|l|00|.|00|E|00|X|00|E|00 00|"; fast_pattern:only; content:"A|00|n|00|w|00|e|00|n|00|d|00|u|00|n|00|g|00 20 00|R|00|e|00|a|00|d|00|E|00|x|00|c|00|e|00|l|00 00|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/; classtype:trojan-activity; sid:32290; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptolocker download detected"; flow:to_client,established; file_data; content:"c|00|:|00 5C 00|M|00|Y|00|a|00|p|00|P|00|.|00|e|00|X|00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/ad9692b0d589faf72121e4c390138dfe872fe913f73dd1edb699e60bab38f875/analysis/; classtype:trojan-activity; sid:32289; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sapertilz variant outbound connection"; flow:to_server,established; content:"/cgi-bin/session?name="; depth:22; http_uri; content:"@"; distance:0; http_uri; content:"|20|"; distance:0; http_uri; content:"&serial="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/91e3d08c7e86f38725842943a843d85ec2a50a785b1d1364e914cb9b8b222ffd/analysis/; classtype:trojan-activity; sid:32287; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zoxpng variant outbound connection"; flow:to_server,established; urilen:>200; content:"imgres?q=A380&hl=en-US&sa="; fast_pattern:only; http_uri; content:"&imgrefurl="; nocase; http_uri; content:"&imgurl="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.novetta.com/files/9114/1329/6233/ZoxPNG_Preliminary_Analysis.pdf; reference:url,www.virustotal.com/en/file/07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d/analysis/; classtype:trojan-activity; sid:32285; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spamnost variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/stat1.php"; depth:10; http_uri; content:"Host: 87.75.44.12|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/1c3b131e2958ef681f843870ca61131924bbcf1c30c8a45d9ec052ddedd4f541/analysis/; classtype:trojan-activity; sid:32273; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WIN.Trojan.Hesechca variant outbound connection"; flow:to_server,established; content:"/update2/submit_ticket.php"; fast_pattern:only; http_uri; content:"&category="; http_client_body; content:"&priority="; http_client_body; content:"&message="; http_client_body; content:"&FileLocation="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/dcba379bcb415d95f0e4412c6dcbdc6726b211a4ec0874111d308fbaba4ca3ba/analysis/; classtype:trojan-activity; sid:32272; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tinba variant outbound connection"; flow:to_server,established; content:"/new1djs657shd/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0aca4efd69c9331751f0e9d13f434aa640a0f94eb1b522b5e4100aefc47670fb/analysis/; classtype:trojan-activity; sid:32270; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"MALWARE-CNC Win.Trojan.Cakwerd variant outbound connection"; flow:to_server,established; content:"ZnVja3lvdQ=="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/b24d47f811138b6d876b9906fee0718a25d48a95e7207543443ab2f36e19fe9a/analysis/; classtype:trojan-activity; sid:32341; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ropest variant outbound connection"; flow:to_server,established; content:"/?ver="; http_uri; content:"&os="; distance:0; http_uri; content:"&res="; distance:0; content:"Accept-Asterope: true"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/eda0ee72b64d78496fad5ac3f0dff9c8291f8751df7d8ebb62242c7a915b7e31/analysis/; classtype:trojan-activity; sid:32338; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stantinko variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/modules/mod_proxy/proxy.php"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"pass="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/99c69981aecf111b66006e675f144764f2a8bcd270c8a0bbc976d8f1a6e086f7/analysis/; reference:url,www.virustotal.com/en/file/caf1832e76b5bc663b4dcc77b8ae3ac226481ba16af39bab866d391369529d2b/analysis/; classtype:trojan-activity; sid:32334; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; content:"/gate.php"; depth:9; http_uri; content:"}GRGRGRGR}"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/a3cf855b9bfbb17e4e293c6d28290de4329338a988b5c6a33e35e7bc6f3b0c3b/analysis/; classtype:trojan-activity; sid:32332; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maener variant outbound connection"; flow:to_server,established; content:"/signin.php?id="; fast_pattern; http_uri; content:"&aver="; distance:0; http_uri; content:"User-agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32331; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maener variant outbound connection"; flow:to_server,established; content:"/method/wall.get.xml"; fast_pattern:only; http_uri; content:"User-agent: "; http_header; content:!"Accept: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32330; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maener variant outbound connection"; flow:to_server,established; content:"/method/groups.getById.xml?fields="; fast_pattern:only; http_uri; content:"User-agent: "; http_header; content:!"Accept: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32329; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Maener variant download request"; flow:to_server,established; content:"/tools/RegWriter.exe.raum_encrypted"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ce55ff49ec4d360a1aa06ddf378a44d9a72c49677142298df1b56ce7be871cca/analysis/; classtype:trojan-activity; sid:32328; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsune variant outbound connection"; flow:to_server,established; content:"/backup.php?"; depth:12; http_uri; content:"="; within:6; http_uri; content:"="; depth:4; http_client_body; content:"AA"; within:2; distance:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6ad7b0b82957a55db92d621bf6689243fc4048d76062e3c9ce233d6c0fa95700/analysis/; classtype:trojan-activity; sid:32354; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound spam attempt"; flow:to_server,established; file_data; content:"/images/chcm/healthcare_online.gif"; fast_pattern:only; content:"/images/chcm/m_products.gif"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/c0a2d8dfe7f4eea54c0128b11a8a15d12a5c842572346f11e4f8fd43f207748e/analysis/; classtype:attempted-user; sid:32344; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound spam attempt"; flow:to_server,established; file_data; content:"/images/chcm/healthcare_online.gif"; fast_pattern:only; content:"/images/chcm/m_products.gif"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/c0a2d8dfe7f4eea54c0128b11a8a15d12a5c842572346f11e4f8fd43f207748e/analysis/; classtype:attempted-user; sid:32343; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex variant outbound connection"; flow:to_server,established; content:"/bin.exe"; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.04506.648|3B| .NET CLR 3.5.21022)"; fast_pattern:only; http_header; content:!"Referer"; http_header; pcre:"/\/bin\.exe$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9ad8b524f53542a0fc2dc9bf21291a88d289d0c1be0050606069d48704fa5675/analysis/; classtype:trojan-activity; sid:32368; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established; urilen:<10; content:"/update"; http_uri; content:"POST"; http_method; content:"|0D 0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Akaza variant outbound connection"; flow:to_server,established; content:"/info.php"; depth:9; http_uri; content:"s=INSERT+INTO+info4+("; depth:21; http_client_body; content:"+values+"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/106D7963BF3228BEBF8FF8FF3DE20860EB772FFA033DAC3C2881ADCA3465F36B/analysis/; classtype:trojan-activity; sid:32357; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:32374; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Broonject variant outbound connection"; flow:to_server, established; content:"puzzleofworld.com"; fast_pattern:only; http_header; content:"Set-Cookie: A"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22c430fce3cae672c378cdf0508e9ad2f386f27296628634c05fa9a18610af7f/analysis/; classtype:trojan-activity; sid:32373; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Drepitt variant outbound connection"; flow:to_server, established; content:"/getaction2.php?pl="; fast_pattern:only; http_uri; content:"User-Agent: AutoIt"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/50e48a9be8734e8b7eb80988a75bc4fdb4ed8d490ce78919488a0c0c7456a957/analysis/; classtype:trojan-activity; sid:32372; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Orcarat variant outbound connection"; flow:to_server,established; content:"=2|2F|"; fast_pattern:only; http_uri; urilen:100<>150; content:"|2F|"; depth:2; offset:17; http_uri; content:!"|25|"; http_raw_uri; pcre:"/^\x2f[A-Za-z0-9+~=]{16,17}\x2f[A-Za-z0-9+~=]{35,40}\x2f[A-Za-z0-9+~=]{8}\x2f[A-Za-z0-9+~=]*?\x2f[A-Za-z0-9+~=]{12,30}$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32397; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Orcarat variant outbound connection"; flow:to_server,established; content:"=2 HTTP/1.1|0D 0A|"; fast_pattern:only; urilen:100<>150; content:"|2F|"; depth:2; offset:17; http_uri; content:!"|25|"; http_raw_uri; pcre:"/^\x2f[A-Za-z0-9+~=]{16,17}\x2f[A-Za-z0-9+~=]{35,40}\x2f[A-Za-z0-9+~=]{8}\x2f[A-Za-z0-9+~=]*?\x2f[A-Za-z0-9+~=]{12,30}$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32396; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Orcarat variant outbound connection"; flow:to_server,established; content:"=1|2F|"; fast_pattern:only; http_uri; urilen:100<>150; content:"|2F|"; depth:2; offset:17; http_uri; content:!"|25|"; http_raw_uri; pcre:"/^\x2f[A-Za-z0-9+~=]{16,17}\x2f[A-Za-z0-9+~=]{35,40}\x2f[A-Za-z0-9+~=]{8}\x2f[A-Za-z0-9+~=]*?\x2f[A-Za-z0-9+~=]{12,30}$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32395; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Orcarat variant outbound connection"; flow:to_server,established; content:"=1 HTTP/1.1|0D 0A|"; fast_pattern:only; urilen:100<>150; content:"|2F|"; depth:2; offset:17; http_uri; content:!"|25|"; http_raw_uri; pcre:"/^\x2f[A-Za-z0-9+~=]{16,17}\x2f[A-Za-z0-9+~=]{35,40}\x2f[A-Za-z0-9+~=]{8}\x2f[A-Za-z0-9+~=]*?\x2f[A-Za-z0-9+~=]{12,30}$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/074C472406E38385FE769FBAAA72C7259247F42EF1B9140F31228AFC66AFBC67/analysis/; classtype:trojan-activity; sid:32394; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Baccamun variant outbound connection"; flow:to_server,established; content:"|A5 D0 A5 AB 00|"; depth:5; content:"|00 00 00|"; depth:3; offset:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/054e989864df7e6445d1b3785aff25488e9ac1097cf86792f308f8529c1b85f5/analysis/; classtype:trojan-activity; sid:32379; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Havex outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.36 Safari/525.19"; http_header; content:"php?id="; http_uri; content:"&v2="; http_uri; content:"q=45474bca5c3a10c8e94e56543c2bd"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849/analysis/; classtype:trojan-activity; sid:32513; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443] (msg:"MALWARE-CNC PCRat variant outbound connection"; flow:to_server,established; content:"HTTPS"; depth:5; nocase; content:"|00 00 78 9C|"; depth:4; offset:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b165bce83216ff95df43acfdb9c7239c1edd9412d4b93487cbae111ceb7be8a5/analysis/; classtype:trojan-activity; sid:32512; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"MALWARE-CNC PCRat variant outbound connection"; flow:to_server,established; content:"PCRat"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/b165bce83216ff95df43acfdb9c7239c1edd9412d4b93487cbae111ceb7be8a5/analysis/; classtype:trojan-activity; sid:32511; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 205 (msg:"MALWARE-CNC Linux.Trojan.PiltabeA outbound connection"; flow:to_server,established; dsize:157; content:"|CE 04 00 00|"; content:"w"; depth:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a27ae25072d781587bb73783a03d3c0f32953e96da0384c54bd368522117f2d0/analysis/; classtype:trojan-activity; sid:32510; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Secdeskinf outbound connection"; flow:to_server, established; content:"/informer/info.php"; depth:18; http_uri; content:"cmd="; http_uri; content:"data="; http_client_body; content:"uid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/5f764eea5c48aeeccb25e32c1a999188d3c92cddc7337d3a6e880afd4b195f90/analysis/; classtype:trojan-activity; sid:32506; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection"; flow:to_server,established; content:"kill.txt"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.2|3B|SV1|3B| TencentTraveler |3B| .NET CLR 1.1.4322)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/6bedd1b0716fe7632188932451f75295346836545e6d2bfee1b56121e02ca110/analysis/; classtype:trojan-activity; sid:32505; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Kiler attempted outbound connection"; flow:stateless; content:"MlCROS0FT|7C|"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/6bedd1b0716fe7632188932451f75295346836545e6d2bfee1b56121e02ca110/analysis/; classtype:trojan-activity; sid:32504; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection"; flow:to_server,established; content:"VERSONEX|3A|"; depth:9; dsize:1024; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/65a2a3e36c842baa12d3115074f19b77f7a21275f6a6750ba0ae3aa3f6a47c94/analysis/; classtype:trojan-activity; sid:32494; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.SpikeA variant outbound connection"; flow:to_server,established; content:"VERS0NEX|3A|"; depth:9; dsize:1024; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/f2ea67c47fbba006c264419013c8ba6782922422086962d0bb1d9547629ea021/analysis/; classtype:trojan-activity; sid:32493; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Exadog variant outbound connection"; flow:to_server,established; content:"22Kq6Sf"; depth:7; offset:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ce09b0c393a461df7c98ba6d33d0a1d4b1a7f4cded653c9335c231b3ea724ec8/analysis/; classtype:trojan-activity; sid:32487; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Backdoor.Exadog outbound connection"; flow:to_server,established; content:"|B0 00 00 00|"; depth:4; content:"|00 00 00 70 2C 53 9D|"; within:7; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6e20a3fd8fdb828df7add41700cd1923a48969d1e8377a85e9dc319a18eeaf90/analysis/; classtype:trojan-activity; sid:32486; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankeiya outbound connection"; flow:to_server,established; content:"/getp.asp"; fast_pattern:only; http_uri; content:"?MAC="; http_uri; content:"&VER="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6dd4851811656d5aa27b817600f43b7958febabee6464cea939cafcfbff12bc3/analysis/; classtype:trojan-activity; sid:32469; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TorrentLocker variant outbound connection"; flow:to_server,established; content:"/topic.php"; fast_pattern:only; http_uri; content:"Accept: */*|0D 0A|Host: "; http_header; content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; content:!"User-Agent: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23/analysis/; classtype:trojan-activity; sid:32464; rev:1;)
alert tcp $EXTERNAL_NET 172 -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Effseart variant inbound connection"; flow:to_client,established; content:"|0D 0A 0D 0A 96 84 84 92 85 83 88 98 9C F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d951935b8c65319cb96c512b7f2c99703aef4229052787eb28f03256921ab546/analysis/; classtype:trojan-activity; sid:32457; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 172 (msg:"MALWARE-CNC Win.Backdoor.Effseart variant outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A 9F 98 85 84 92 88 96 84 84 92 85 83 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d951935b8c65319cb96c512b7f2c99703aef4229052787eb28f03256921ab546/analysis/; classtype:trojan-activity; sid:32456; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backoff initial outbound connection"; flow:to_server,established; content:"&oprat=1&uid="; depth:13; http_client_body; content:"&uinfo="; within:7; distance:7; http_client_body; content:"&grup="; distance:0; http_client_body; content:"&ver="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3a40b3fcb0707e9b5ae6dd9c7b4370b101c37c0b48fa56a602a39e6d7d5d0de5/analysis/; classtype:trojan-activity; sid:32451; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-CNC Win.Backdoor.Kivars outbound connection"; flow:to_server,established; dsize:190<>350; content:"|00 00 9B 4F|"; depth:4; offset:2; content:!"|00 00|"; depth:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/f78750b137ad1cb37cbb9ef79f360c7f232d1c7eb347a67f75a9fb6648d99018/analysis/; classtype:trojan-activity; sid:32401; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1604 (msg:"MALWARE-CNC Win.Backdoor.Parama attempted outbound connection"; flow:to_server, established; content:"|01 41 37|"; depth:3; content:"|03|"; distance:0; isdataat:!1,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/21a3384d637c439c1234d9825e2c384a542f55ae047ed83f270d299e29a6689d/analysis/; classtype:trojan-activity; sid:32400; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Vkont variant outbound connection"; flow:to_server,established; content:"xxAIFDV30gCZ4CLxwJX3MUj5X6TjcgcF"; http_client_body; content:"|3B| filename=|22|debug."; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/377c2a22989758ea115c9d151257e90e1d998da0f1c757f04071f2a126e3e875/analysis/; classtype:trojan-activity; sid:32529; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 2.0 possible TOR client retrieval attempt"; flow:to_client,established; file_data; byte_extract:1,0,size; content:"|00 00 00|"; depth:4; offset:1; content:"|00 D3 9C 08 00|"; within:5; distance:size; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3cbc091b52957b84a2131fc14b5117fad5daea36b1fa821ad83711a4781deda2/analysis/; classtype:trojan-activity; sid:32521; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayoboiz outbound connection"; flow:to_server, established; content:"|0D 0A|TIME: "; depth:9; content:"|0D 0A|USER: "; within:8; distance:24; content:"HOST: "; within:70; content:"OS: "; within:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/a61604db242aa7e4eb26a409eab4e1f279928a0a8490982874ced7930701fdd5/analysis/; classtype:trojan-activity; sid:32557; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Bayoboiz outbound connection"; flow:to_server, established; content:"PASS 9437694683"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/en/file/a61604db242aa7e4eb26a409eab4e1f279928a0a8490982874ced7930701fdd5/analysis/; classtype:trojan-activity; sid:32556; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Coreshell variant outbound connection"; flow:to_server,established; content:"/~xh/sn.cgi?"; depth:12; http_uri; content:"T0s=|0D 0A|"; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f/analysis/; classtype:trojan-activity; sid:32551; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Extant variant outbound connection"; flow:to_server,established; content:"/img/member.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/71114a8841731332f6316640add414eb231ab40f6e62176bf7e1be7e7f0df1e0/analysis/; classtype:trojan-activity; sid:32550; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Mac.Backdoor.iWorm attempted outbound connection"; flow:to_server,established; urilen:26,norm; content:"HTTP/1.0|0D 0A|Host|3A| www.reddit.com|0D 0A|Accept|3A| text/html|0D 0A 0D 0A|"; fast_pattern:only; content:"/search?q="; depth:10; http_uri; content:!"User-Agent"; http_header; pcre:"/^\/search\x3fq=[A-F0-9]{16}$/U"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d8a313afd2789b853b05cb897871ae4438170216e9ea5d4060670065e7ec34e5/analysis/; classtype:trojan-activity; sid:32548; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:8; content:"/ify.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0|3B| SLCC1"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f7740e0de807b00f9f851644cc742f14e43d376ab59f9a1fddca93caa5ec5b6c/analysis/; classtype:trojan-activity; sid:32586; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:19; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:2; distance:7; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f7740e0de807b00f9f851644cc742f14e43d376ab59f9a1fddca93caa5ec5b6c/analysis/; classtype:trojan-activity; sid:32585; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"plug=NAO"; fast_pattern:only; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"Content-Length: 8"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/; reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; urilen:16; content:"/cbrry/cbre.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583; rev:2;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Regin outbound connection"; itype:0; content:"shit"; content:"shit"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513/analysis/; classtype:trojan-activity; sid:32624; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Regin outbound connection"; flow:to_server,established; content:"WINKER="; fast_pattern:only; content:"WINKER="; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513/analysis/; classtype:trojan-activity; sid:32623; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Regin outbound connection"; flow:to_server,established; content:"AST.NET_SessionId="; fast_pattern:only; content:"AST.NET_SessionId="; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513/analysis/; classtype:trojan-activity; sid:32622; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Regin outbound connection"; flow:to_server,established; content:" TW="; fast_pattern:only; content:" TW="; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513/analysis/; classtype:trojan-activity; sid:32621; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection"; flow:to_server,established,only_stream; content:"Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; content:"/2help/"; depth:7; fast_pattern; http_uri; content:".hlp"; within:14; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f7f334515f0b6ee9fe92ccf0774748d933a82e297d5bf82c9e0d05bd8762d84f/analysis/; classtype:trojan-activity; sid:32614; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Jadowndec attempted outbound connection"; flow:to_server,established; content:"/works/"; http_uri; urilen:7; content:"Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; content:"OPC=10"; depth:6; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f7f334515f0b6ee9fe92ccf0774748d933a82e297d5bf82c9e0d05bd8762d84f/analysis/; classtype:trojan-activity; sid:32613; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 02|"; depth:5; dsize:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32610; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 03|"; depth:5; dsize:<160; metadata:impact_flag red, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:32609; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established; content:"/verifica/index.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established; content:"/seo.php?username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Geodo variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt"; flow:to_server,established; content:"HEAD"; http_method; content:"all.wipe"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6f5f12a2157d4f67fc3730c4531a75325c94a9bfb75302fabbd513ee78f223b2/analysis/; classtype:trojan-activity; sid:32600; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mysayad outbound connection"; flow:to_server,established,only_stream; content:"dir="; depth:4; http_client_body; content:"&data="; within:6; distance:36; http_client_body; pcre:"/^dir=[0-9A-F]{8}(-[0-9A-F]{4}){4}[0-9A-F]{8}&data=/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6f5f12a2157d4f67fc3730c4531a75325c94a9bfb75302fabbd513ee78f223b2/analysis/; classtype:trojan-activity; sid:32599; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Mysayad file wipe attempt"; flow:to_server,established; content:"HEAD"; http_method; content:".wipe"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; pcre:"/[A-F0-9]{8}(-[A-F0-9]{4}){3}-[A-F0-9]{12}.wipe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6f5f12a2157d4f67fc3730c4531a75325c94a9bfb75302fabbd513ee78f223b2/analysis/; classtype:trojan-activity; sid:32598; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] (msg:"MALWARE-CNC Win.Trojan.Wiper variant outbound connection"; flow:to_server,established; dsize:42; content:"(|00|"; depth:2; content:"|04 00 00 00|"; within:4; distance:36; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Ch variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Content-length:"; http_header; content:"Content-type:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d0321bc371fa475d689ffe658/analysis/; classtype:trojan-activity; sid:32670; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/webhp?rel="; http_uri; content:"hl="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32667; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/search?btnG="; http_uri; content:"utm="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32665; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Kuluoz variant outbound connection"; flow:to_server,established; content:"POST "; depth:5; content:"index.php HTTP"; content:"|0D 0A 0D 0A 80 00 00 00|"; distance:0; fast_pattern; content:!"|0D 0A|Referer"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/85afe62c13bd4a6304da7ef18e958156ddd872ac600bfcb802e1b4faac065cf1/analysis/; classtype:trojan-activity; sid:32706; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Dridex variant outbound connection"; flow:to_server,established; content:"Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko"; fast_pattern:only; http_header; content:"POST"; http_method; content:"Content-Type|3A| octet/binary"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/a4583318c3328204f56810ca3b22f5e4c0a74b173b1a12c5f9e35c70982a1138/analysis/; classtype:trojan-activity; sid:32678; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Dridex variant outbound connection"; flow:to_server,established; content:"/stat/lld.php"; fast_pattern:only; http_uri; urilen:13; content:"Host"; http_header; content:":8080|0D 0A|"; within:30; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/a4583318c3328204f56810ca3b22f5e4c0a74b173b1a12c5f9e35c70982a1138/analysis/; classtype:trojan-activity; sid:32677; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FIN4 VBA Macro credentials upload attempt"; flow:to_server, established; content:"POST"; http_method; content:"/report.php?msg="; fast_pattern:only; http_uri; content:"&uname="; http_uri; content:"&pword="; http_uri; content:"Content-Length|3A 20|0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity; sid:32776; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)"; fast_pattern:only; http_header; content:"/"; depth:1; offset:9; http_uri; content:"/"; within:1; distance:8; http_uri; content:"Host:"; http_header; content:":8080"; within:30; http_header; content:"POST"; http_method; dsize:<480; pcre:"/^\/[a-f0-9]{8}\/[a-f0-9]{8}\/$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/27c298c77e16bbc3f056653034c2d918418f877bb0193a9ca533b5527d830a94/analysis/; classtype:trojan-activity; sid:32770; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WOWCheckC Attempted CNC"; flow:to_server,established; content:"/add.jsp?uid=001&ver=0307&mac="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9D3D80DADEA99809E835072C5452F47581ECD0C57854A743BA7448B9332401B1/analysis/; classtype:attempted-user; sid:32769; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Ragebot variant outbound connection"; flow:to_server,established; content:"NICK raGe|7C|"; depth:10; content:".net|22| |22|rage|22|"; distance:0; nocase; content:"JOIN #scan# rage"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/33a9b8f61e717f5bad87481667a52c911111d29d2bc00d811146578d8719daa7/analysis/; classtype:trojan-activity; sid:32747; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2015 (msg:"MALWARE-CNC VGABot IRC communication attempt"; flow:to_server,established; content:"JOIN |23|websites g0dl1k3"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/f6dfea954b4cb6fd0e737a7b806039e5490224e692123105fbf947541d73550b/analysis/1417795347/; classtype:trojan-activity; sid:32743; rev:1;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name=|22|serverKey|22|"; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|key|22|"; http_client_body; content:!"User-Agent: "; http_header; content:!"Referer: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7c4381d282964d4f0918412aa3fe3384fe8ee8409dd0c79e734d2bd643fac40e/analysis/; classtype:trojan-activity; sid:32736; rev:1;)
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoPHP variant outbound connection"; flow:to_server,established; content:"serverKey="; depth:10; http_client_body; content:"&data="; within:10; distance:10; http_client_body; content:!"User-Agent: "; http_header; content:!"Referer: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7c4381d282964d4f0918412aa3fe3384fe8ee8409dd0c79e734d2bd643fac40e/analysis/; classtype:trojan-activity; sid:32735; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Typideg variant outbound connection"; flow:established,to_server; urilen:>240; content:"/?"; depth:2; http_uri; content:"Referer|3A| http|3A|//www.google.com"; pcre:"/^\/\x3f[1-9][A-Za-z0-9~_-]{240}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3cd6ad651257f66e9a68d9c89f14666941886e4251983fe7f9bff898b435827e/analysis/; classtype:trojan-activity; sid:32734; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"MALWARE-CNC Win.Trojan.Olegb variant outbound connection"; flow:established,to_server; content:"|00|"; depth:1; content:"|04 00 00 00 25 05 90 19 03|"; within:9; distance:3; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/3cc83ea209348c83b6349d08d1b0aade8d09a34e05f87a5aadc687445eadac2b/analysis/; classtype:trojan-activity; sid:32728; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Win.Backdoor.Uclinu variant outbound connection"; flow:to_server,established; content:"|A1 AD A4 E2 E7 AE CA D0 72 C5 F2 D0 87 D7 B5|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/765cefb36c47598a711e00f1cb9a64cde9014b0984ac5ae8ff7b462e757d8eb2/analysis/; classtype:trojan-activity; sid:32727; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Eskaetee outbound connection"; flow:to_server,established; content:".asp|20|HTTP"; content:"Cookie|3A| MC1=V=3&GUID=57ee8df6bd36496e8f36f103d8261984"; fast_pattern:only; content:"|78 9C|"; depth:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e1074398baf00c37067b9717e90758bb0708897a447f9e887cc7a0ecd9acdb85/analysis/; classtype:trojan-activity; sid:32781; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Eskaetee outbound connection"; flow:to_server,established; content:".asp|20|HTTP"; content:"|7C|RunTime|3A|"; http_header; content:"|7C|Proxy|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e1074398baf00c37067b9717e90758bb0708897a447f9e887cc7a0ecd9acdb85/analysis/; classtype:trojan-activity; sid:32780; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Darkhotel response connection attempt"; flow:to_client,established; file_data; content:"DEXT87"; pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32827; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/html/docu.php"; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32826; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri; content:"&a2=step2-down"; fast_pattern:only; http_uri; content:"&a3="; http_uri; content:"&a4="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32825; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection"; flow:to_server,established; content:"/txt/read.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/images/view.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32823; rev:2;)
alert tcp $EXTERNAL_NET 9999 -> $HOME_NET any (msg:"MALWARE-CNC Win.Virus.Ransomlock inbound connection"; flow:to_client,established; dsize:4; content:"|74 01 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/ip-address/200.119.204.12/information/; classtype:trojan-activity; sid:32792; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"MALWARE-CNC Win.Virus.Ransomlock outbound connection"; flow:to_server,established; dsize:4; content:"|94 00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/ip-address/200.119.204.12/information/; classtype:trojan-activity; sid:32791; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Loodir outbound connection"; flow:to_server,established; content:"/run11_1st.txt"; fast_pattern:only; http_uri; content:"Range|3A| bytes=0-"; http_header; content:"Connection|3A|Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cf9d1db362903af1631af9d426b9cd722ce4c78ab52817746775a26f237cb6f7/analysis/; classtype:trojan-activity; sid:32854; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/feed.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/form.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ksypypro outbound connection"; flow:to_server,established; content:"/contact/about.php"; fast_pattern:only; http_uri; content:"px="; depth:3; http_client_body; content:"&note="; within:21; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c40f6c7a8bafc99ce8a36879b05dd97ced9b96c2060f5812c9c58e461da59225/analysis/; classtype:trojan-activity; sid:32882; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Finforst outbound connection"; flow:to_server,established; content:"/reporter.php?msg="; fast_pattern:only; http_uri; content:"&uname"; http_uri; content:"&pword="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2d7fbaa5bc21f86b7554430c700e4506d1b2a66fa5c48517e9ca285edd2ef999/analysis/; classtype:trojan-activity; sid:32893; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TorLocker variant outbound connection"; flow:to_server, established; content:"/fc8zs.exe"; fast_pattern:only; http_uri; content:"User-Agent:"; http_header; content:"Media Center PC 6.0"; within:155; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c54d01f58d99ffbf25b118968721c06f4f91fb53f35b047a26885007cc78d43a/analysis/; classtype:trojan-activity; sid:32892; rev:2;)
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Php.Malware.SoakSoakRedirect Malware traffic containing WordPress Administrator credentials"; flow:to_client,established; file_data; content:"<all_ok_sql^"; content:":support_users_v-"; within:35; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/31905465ef075fafd1f8d46b94aa18451011443935987c615c50623641a2f593/analysis/1418637075/; classtype:attempted-user; sid:32891; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TinyZBot response connection attempt"; flow:to_client, established; file_data; content:"<?xml"; content:"<soap:Body><GetFileListResponse xmlns=|22|http|3A 2F 2F|"; within:70; distance:200; content:"<GetFileListResult><string>[ALL]__"; within:75; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt"; flow:to_server,established; content:"POST"; http_method; urilen:17; content:"/checkupdate.asmx"; fast_pattern:only; http_uri; content:"SOAPAction|3A 20|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web Services Client Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|File)\x22/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android.CoolReaper.Trojan outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/dmp/api/"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|UAC/1.0.0 (Android "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity; sid:32956; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bladabindi variant outbound connection"; flow:to_server,established; content:"Host: pastebin.com"; fast_pattern:only; http_header; content:!"User-Agent"; http_header; content:"download.php"; http_uri; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/b9cf049a38d52f79e2a9c2d84b9bbc5ad39263a8b663cceda5cae12a3bdb65b8/analysis/; classtype:trojan-activity; sid:32950; rev:2;)
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,2525,587] (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound connection"; flow:to_server,established; content:"|3A| <dyanachear@beyondsys.com>|0D 0A|"; fast_pattern:only; content:"Content-Disposition|3A| attachment|3B 0D 0A 09|filename="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/CD75664EDEA18E3AA303763E6F6C639B3E90EAD4B51C2B3E41C808E3D968C848/analysis/; classtype:trojan-activity; sid:32910; rev:2;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound connection"; flow:to_server,established; content:"|3A| <TerafficAnalyzer@yahoo.com>|0D 0A|"; fast_pattern:only; content:"Content-Disposition|3A| attachment|3B 0D 0A 09|filename="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/CD75664EDEA18E3AA303763E6F6C639B3E90EAD4B51C2B3E41C808E3D968C848/analysis/; classtype:trojan-activity; sid:32909; rev:2;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound connection"; flow:to_server,established; content:"|3A| <testmail_00001@yahoo.com>|0D 0A|"; fast_pattern:only; content:"Content-Disposition|3A| attachment|3B 0D 0A 09|filename="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/CD75664EDEA18E3AA303763E6F6C639B3E90EAD4B51C2B3E41C808E3D968C848/analysis/; classtype:trojan-activity; sid:32908; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Toopu outbound connection"; flow:to_server,established; content:"|0D 0A|Referer|3A 20 0D 0A|Accept-Language|3A|"; fast_pattern:only; http_header; content:"Cookie|3A 20 0D 0A|"; http_raw_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32990; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor outbound connection"; flow:to_server,established; content:"xml_lost_ad.asp"; fast_pattern:only; http_uri; content:"ad_url="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32989; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor outbound connection"; flow:to_server,established; content:"click_log2.asp"; fast_pattern:only; http_uri; content:"ad_url="; http_uri; content:"cr=yes"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32988; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor outbound connection"; flow:to_server,established; content:"/get_ad3.asp"; fast_pattern:only; http_uri; content:"type=loadall"; http_uri; content:"machinename="; http_uri; content:"cr=yes"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32987; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Toopu dll embedded in png download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|00 00 00 00|IEND"; content:"MZ"; within:2; distance:4; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/331177E4FBDE6C98620F1C9927962C79D4C027807357F42002A14A2DC22B4044/analysis/; classtype:trojan-activity; sid:32986; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/form.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32977; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/feed.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32976; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Twerket variant outbound connection"; flow:to_server,established; content:"/classes/functions.php"; fast_pattern:only; http_uri; content:"?functionname="; nocase; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/de79809054839419556a9a706409b6e0785559cb093fe3e8c7828991194d4c95/analysis/; classtype:trojan-activity; sid:32973; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Tosct variant outbound connection"; flow:to_server,established; content:"Y3vaR7-V0Vj6gdni"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d9eb155c016dc105c2290dd72a003894e71cc854a1c9cc75bd37432c6db45634/analysis/; classtype:trojan-activity; sid:33084; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocpos information disclosure attempt"; flow:to_server,established; urilen:6; content:"/check"; nocase; http_uri; content:"User-Agent|3A| something|0D 0A|"; fast_pattern:only; http_header; content:"address="; depth:8; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/09ca7be86f517f2e3238e1d52115d29fb2dd079a4d9fc60c18ddc823c137a940/analysis/; classtype:trojan-activity; sid:33083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocpos initial outbound connection"; flow:to_server,established; urilen:11; content:"/check/echo"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; nocase; http_header; content:!"Content-Length|3A|"; nocase; http_header; content:!"Content-Type|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/09ca7be86f517f2e3238e1d52115d29fb2dd079a4d9fc60c18ddc823c137a940/analysis/; classtype:trojan-activity; sid:33082; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OnionDuke variant outbound connection"; flow:to_server,established; content:"/forum/phpBB3/menu.php?"; fast_pattern:only; http_uri; urilen:150; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/19972cc87c7653aff9620461ce459b996b1f9b030d7c8031df0c8265b73f670d/analysis/; classtype:trojan-activity; sid:33081; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lagulon.A outbound connection"; flow:established,to_server; content:"Content-Disposition|3A| inline|3B| comp="; fast_pattern:only; http_header; content:"/contador/server.php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e401340020688cdd0f5051b7553815eee6bc04a5a962900883f1b3676bf1de53/analysis/; classtype:trojan-activity; sid:33061; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"CNN_Mirror/EN"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bbc_mirror/"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33059; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Medusa variant inbound connection"; flow:to_client,established; dsize:<510; content:"|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33058; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Joanap outbound connection"; flow:to_server, established; content:"|C0 10 CE 82 EA 6B 6B 1D E0 E4 5C F8|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/dc030c478d783044dfbf68de54ca6f36e154f60f65dc92f2c6d724078402e738/analysis/; classtype:trojan-activity; sid:33054; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Heur variant outbound connection"; flow:to_server, established; content:"GET"; http_method; urilen:17; content:"/01/WindowsUpdate"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity; sid:33153; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nurjax.A outbound connection"; flow:to_server,established; content:"&dummy="; fast_pattern:only; content:"/services/update.php"; http_uri; content:"&key="; http_uri; pcre:"/&key=[a-z0-9]{32}&dummy=\d{3,5}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ebbc48847066b530924592977226238ab60861740a95aaa4129431c3d8b07ca8/analysis/; classtype:trojan-activity; sid:33152; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5551 (msg:"MALWARE-CNC Win.Worm.Ultramine outbound connection"; flow:established,to_server; content:"asdfgcod1asdfg"; depth:14; content:"asdfg"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d5933d8e7d445880e59884520f85a41cd2ad7ed8f9e8b38a48c1279e681ea6df/analysis/; classtype:trojan-activity; sid:33149; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.Agent variant SMTP reporting attempt"; flow:to_server,established; content:"Subject: Logger - Server Ran"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:33148; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.Agent variant SMTP reporting attempt"; flow:to_server,established; content:"Subject: Logger - Recovery Log"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:33147; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"|41 11 12 1C 19 18 0F 43 41 1A 18 09 22 10 12 19 08 11 18|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33145; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poweliks outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/q"; http_uri; urilen:2; content:"|0D 0A|Connection|3A| close|0D 0A|Content-Type|3A| application/x-www-form-urlencoded|0D 0A|Content-Length|3A| "; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3B99A5C4CAF5B634AEAE0450556E8638EB2976BF17B234229F5D9096E434B9E5/analysis/; classtype:trojan-activity; sid:33165; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spyware.Rombertik outbound connection"; flow:to_server,established; content:"User-Agent: runscope/0.1"; fast_pattern:only; http_header; content:"name="; http_client_body; content:"&host="; http_client_body; content:"&browser="; http_client_body; content:"&host="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/298234d69f5789de6d092cae131fe9830e61324d591b55cd9079b2fab6d82cd2/analysis/; classtype:attempted-user; sid:33161; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"GET "; content:"Accept|3A 20|text/*|2C 20|application/*|0D 0A|User-Agent|3A 20|"; fast_pattern:only; http_header; content:!"Sling/4."; pcre:"/Accept\x3a\x20text\/\*\x2c\x20application\/\*\x0d\x0aUser-Agent\x3a\x20[^\n]+\x0d\x0aHost\x3a[^\n]+\x0d\x0a(Pragma|Cache-Control)\x3a\x20no-cache\x0d\x0a(Connection\x3a Keep-Alive\x0d\x0a)?(\x0d\x0a)?$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9f30d351418eb0d55d75eec46e6679d715c287ff0bfbfdcb98d91f06c3714d52/analysis/; classtype:trojan-activity; sid:33211; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Pisces variant outbound connection"; flow:to_server,established; content:"|00 00 43 50 00 00 2D B0 00 00|"; depth:10; offset:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/136e709cc83cbda0cd8ca6e46fe9e57202bd2699ca063f9d1a51602394c06ef3/analysis/1421953374/; classtype:trojan-activity; sid:33200; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Sabeba outbound connection"; flow:established,to_server; content:"/panel/request.php?action="; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/20cb36f3f9ac51b0cdd826008902923a469e1b8e5bcd1e64eca7457181a8990c/analysis/; classtype:trojan-activity; sid:33199; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot"; fast_pattern:only; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard"; fast_pattern:only; content:"=0D=0AKeyboard"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?"; fast_pattern; content:"=?=|0D 0A|"; within:150; flowbits:set,hawk.lgr; flowbits:noalert; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"HawkEye Keylogger"; fast_pattern:only; content:"Subject: =?utf-8?B"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; urilen:9; content:"POST"; http_method; content:"/2ldr.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cendode system information disclosure attempt"; flow:to_server,established; urilen:15; content:"/start/list.php"; nocase; http_uri; content:"|5C|SunDevPackUpdate|5C|JSO"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2fd8af5dcada8d29328437b9f6c13ca73bd766396cc6f6088c83cbba422a112a/analysis/; classtype:trojan-activity; sid:33218; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Nuovoscor variant outbound connection"; flow:to_server,established; content:"/|7C|*|7C 5C|"; depth:5; content:"CONNECTED|7C|+|7C|"; within:12; distance:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/cbc08614283cf04ebc62ca05b507bf2c559fcedc96abf154c90ffd72aee2fdf9/analysis/; classtype:trojan-activity; sid:33217; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bavload outbound download request attempt"; flow:to_server,established; urilen:12; content:"/juan_sd.txt"; fast_pattern:only; content:!"Referer|3A|"; nocase; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c56fd6fadce1d870a7006c13264ee7782930ad7699523fad6142d3a1d586e504/analysis/; classtype:trojan-activity; sid:33285; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnLineGames variant outbound connection"; flow:to_server,established; urilen:>12; content:"/C8C/gl/cnzz"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8fa888dc56a10e3d103342b7bd22e46c7e020f4cc66efc74c328abe0fcb9c773/analysis/; classtype:trojan-activity; sid:33284; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"/js/jquery-"; fast_pattern; http_uri; content:".js?"; within:15; distance:1; http_uri; pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi"; content:"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33282; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Rubinurd variant outbound connection"; flow:to_server,established; content:"GET "; depth:4; content:".php?id="; within:8; distance:6; fast_pattern; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)"; distance:0; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a4d8b0c93faf5d159359ad86b80c7c96f687640c51ec3565f54a059138f7b530/analysis/; classtype:trojan-activity; sid:33305; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foxy variant outbound connection"; flow:to_server,established; urilen:>80; content:"index.php?admin="; http_uri; content:"&arch_type="; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c85940369a8028803460baf600203c435179611769a9850a2aef7fb45d2c86d7/analysis/; classtype:trojan-activity; sid:33299; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3373 (msg:"MALWARE-CNC Win.Trojan.Rawpos incoming backdoor connection attempt"; flow:to_server,established; dsize:10; content:"bartalamy!"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/74d5dd1a64b66bd74fc4bdc67354535c349b06b96f024a03b098f886740ec884/analysis/; classtype:trojan-activity; sid:33289; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection"; flow:to_server,established; content:"POST http://proxy5-5-5.i2p/"; depth:30; fast_pattern; content:"Host: proxy5-5-5.i2p|0D 0A|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/; classtype:trojan-activity; sid:33435; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection"; flow:to_server,established; content:"POST http://proxy4-4-4.i2p/"; depth:30; fast_pattern; content:"Host: proxy4-4-4.i2p|0D 0A|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/; classtype:trojan-activity; sid:33434; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection"; flow:to_server,established; content:"POST http://proxy3-3-3.i2p/"; depth:30; fast_pattern; content:"Host: proxy3-3-3.i2p|0D 0A|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/; classtype:trojan-activity; sid:33433; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection"; flow:to_server,established; content:"POST http://proxy2-2-2.i2p/"; depth:30; fast_pattern; content:"Host: proxy2-2-2.i2p|0D 0A|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/; classtype:trojan-activity; sid:33432; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall 3.0 variant outbound connection"; flow:to_server,established; content:"POST http://proxy1-1-1.i2p/"; depth:30; fast_pattern; content:"Host: proxy1-1-1.i2p|0D 0A|"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9e06d2ce0741e039311261acc3d3acbaba12e02af8a8f163be926ca90230fa89/analysis/; classtype:trojan-activity; sid:33431; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Doc.Downloader.Dridex outbound connection"; flow:established,to_server; urilen:16; content:"/mopsi/popsi.php"; fast_pattern:only; http_uri; content:!"Referer|3A 20|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/182c055ed50804e47ad3916b2d3f21e06719545d11b117f2ca17b52750207eaf/analysis/; classtype:attempted-user; sid:33411; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Downloader.Dridex outbound connection"; flow:established,to_server; urilen:11; content:"/js/bin.exe"; fast_pattern:only; http_uri; content:!"Referer|3A 20|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/048714ed23c86a32f085cc0a4759875219bdcb0eb61dabb2ba03de09311a1827/analysis/; classtype:attempted-user; sid:33342; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Yinli outbound connection"; flow:to_server; content:"/doxc/aqw.php?yin="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/69504c5b18f4c6347b5921d2a676abf841aecbefad67cafa2ea4d97960d10614/analysis/; classtype:attempted-user; sid:33330; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Yinli outbound connection"; flow:to_server; content:"/soz.php?dis="; fast_pattern:only; http_uri; content:"&pat="; http_uri; content:"&cname="; http_uri; content:"&len="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/69504c5b18f4c6347b5921d2a676abf841aecbefad67cafa2ea4d97960d10614/analysis/; classtype:attempted-user; sid:33329; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Yinli outbound connection"; flow:to_server; content:"/scong/cong.php?Lien="; fast_pattern:only; http_uri; content:"&Chin="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/77fbe90d2a6b73aa869b13cccab9e645110dc75859c89763ec7732fa18a358ac/analysis/; classtype:attempted-user; sid:33328; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dynamer variant outbound connection"; flow:to_server,established; content:"/index.php?email="; fast_pattern:only; http_uri; content:"@"; http_uri; content:"&len"; http_uri; content:!"User-Agent|3A| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; pcre:"/\x0d\x0aHost\x3a\x20[^\x0d\x0a\x2e]+\x2e[^\x0d\x0a\x2e]+(\x3a\d{1,5})?\x0d\x0a\x0d\x0a$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/73461d1fb355ba0ed4d9bc36b36333be58bd1f863f92d6c39131be6f4b656511/analysis/; classtype:trojan-activity; sid:33464; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: http://www.pershop.com.br/"; fast_pattern:only; http_header; content:".php"; http_uri; content:!"Referer:"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"MALWARE-CNC Doc.Downloader.Dridex outbound connection"; flow:established,to_server; urilen:14; content:"/mops/pops.php"; fast_pattern:only; http_uri; content:!"Referer|3A 20|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b018c37bd4b27d8fcfc543d05ef5c0f0477551afe4a396584c6f1b83aeacfa92/analysis/; classtype:attempted-user; sid:33456; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/12/index.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"="; depth:2; http_client_body; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; pcre:"/[a-z]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/r1xpr/r1xe.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gefetroe variant outbound connection"; flow:to_server,established; content:"/GFDTroj/GFD.php?PC="; fast_pattern:only; http_uri; content:"&action=initialize"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/94c8c98d0f171c9713adc785e057b35da452b66770fe7e14a57cfb5dc3e947fa/analysis/; classtype:trojan-activity; sid:33439; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"/updateb.xml?"; fast_pattern:only; http_uri; content:"rnd="; http_uri; content:"&spfail="; within:20; http_uri; content:"&guid="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33524; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"/postinstall.php?"; http_uri; content:"src="; within:5; http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33523; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"&pcname="; fast_pattern:only; http_client_body; content:"hwid="; depth:5; http_client_body; content:"&mode="; within:50; http_client_body; content:"&system="; within:32; http_client_body; content:"&version="; within:60; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33521; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zusy inbound CNC response"; flow:to_client,established; file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern; content:"] => "; within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[a-z\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33520; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Andromeda variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent|3A| Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"Content-Length|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A 0D 0A|"; within:21; distance:4; http_header; pcre:"/Content-Length\x3a\x20(?:(8(8|4|0)?)|40|76)\x0d\x0aConnection\x3a\x20close\x0d\x0a\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7bafad92d862aab418553ab69b974644eda3144b304bb1a3d06fba231b64b3ad/analysis/; classtype:trojan-activity; sid:33496; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Enosch variant outbound connection"; flow:to_server,established; content:"/index.html"; http_uri; content:"User-Agent|3A 20|gtalk|0D 0A|"; fast_pattern:only; http_header; content:"Host|3A 20|www.google.com|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/27A8198B85A2BDB6185BC0D4697554CF767479C64ACF46A8075A6C7C86866C0A/analysis/; classtype:trojan-activity; sid:33482; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Linux.Backdoor.Xnote outbound connection"; flow:to_server,established; content:"|11 00 00 00 01 00 00 00 78 9C 4B 05 00 00 66 00 66|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop; reference:url,www.virustotal.com/en/file/9ba52d6a5df217e1bd6dcc92895ccfa1a1426a8b6fb062e4712fae4e483dd877/analysis/; classtype:trojan-activity; sid:33481; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Equation outbound connection"; flow:to_server,established; content:"?qq="; http_uri; content:"&rr="; distance:0; http_uri; content:"&h="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1b0eb1a1591140175d1ac111a98c89472b196599baf13ef67ee7f63d0052b00e/analysis/; classtype:trojan-activity; sid:33546; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Equation outbound connection"; flow:to_server,established; urilen:9; content:"/cgi-bin/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1b0eb1a1591140175d1ac111a98c89472b196599baf13ef67ee7f63d0052b00e/analysis/; classtype:trojan-activity; sid:33545; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Equation outbound connection"; flow:to_server,established; urilen:9; content:"/cgi-bin/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Win32|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1b0eb1a1591140175d1ac111a98c89472b196599baf13ef67ee7f63d0052b00e/analysis/; classtype:trojan-activity; sid:33543; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?uid="; http_uri; content:"&context="; distance:0; http_uri; content:"&mode=text"; distance:0; fast_pattern; http_uri; content:"&data="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:3;)
alert tcp any any -> any 443 (msg:"MALWARE-CNC Unix.Trojan.lubot outbound connection"; flow:to_server,established; content:"|20 3A 03|7-shell|20 03|14@|03|3"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33621; rev:1;)
alert tcp any any -> any 443 (msg:"MALWARE-CNC Unix.Trojan.lubot outbound connection"; flow:to_server,established; content:"NICK|20|[-]"; depth:8; content:"|0A|"; within:6; content:"PASS|20 0A|USER [-]|20|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33620; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,446,447] (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound detected"; flow:to_server,established; isdataat:!7; content:"|00 FF|"; depth:2; content:"|00 00 00|"; within:3; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/59852c486e6842b1901527baa3d96088065c1fac8a490031e7683c5d18340855/analysis/; reference:url,www.virustotal.com/en/file/83F75C8D52B84795A526CA7DAEA29186CDC2CDD4A33871A942BB00D673BB0E20/analysis/; classtype:trojan-activity; sid:33600; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:established,to_server; content:"GET|20|"; depth:4; content:"/0/"; distance:0; fast_pattern; content:!".gzip"; content:"HTTP/1.1|0D 0A|User-Agent"; distance:0; content:!"Referer|3A|"; distance:0; content:!"Accept-"; distance:0; pcre:"/^Host\x3a[^\x0d\x0a]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}\x0d?$/mi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c626804d99195bb0c74e276c49ad48278c8f3723180323c767c60cc8c9f43f7d/analysis/; classtype:trojan-activity; sid:33594; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established; urilen:35; content:"/stats/"; nocase; http_uri; content:"/counter/"; within:9; distance:2; nocase; http_uri; pcre:"/^\/stats\/\d{2}\/counter\/\w{8}\/\w{8}$/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/66d758dbdffb51460fbc47492de070cb03345e5587f480a7100e32c0a63ff2b8/analysis/; classtype:trojan-activity; sid:33660; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name="; http_client_body; content:"upload"; within:10; http_client_body; content:"filename="; within:50; http_client_body; content:"listprocess.txt"; within:20; fast_pattern; http_client_body; urilen:168<>184; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/d843ea21ed8259248f06a6cb39ad9ee07a8a5fd5c481de57865dee64e22bcf08/analysis/; classtype:trojan-activity; sid:33656; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tinba outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:9; content:"/preview/"; http_uri; content:"Content-Length: 157|0D 0A|"; http_header; content:!"User-Agent|3A 20|"; http_header; content:"|00 80 00 00 00|"; depth:5; offset:24; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1c159bdafa037be39ac062bdaeeb1f621/analysis/; classtype:trojan-activity; sid:33650; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler.action?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33648; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"POST"; http_method; content:"/submit.action?username="; http_uri; content:"&password="; within:30; http_uri; content:".tgz"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33647; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check.action?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33646; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"|44 14 17 19 1C 1D 0A 46 44 1F 1D 0C 27 15 17 1C 0D 14 1D|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33704; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carbanak connection to server"; flow:to_server,established; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Accept: */*|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; urilen:168<>184; isdataat:500; isdataat:!601; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/d843ea21ed8259248f06a6cb39ad9ee07a8a5fd5c481de57865dee64e22bcf08/analysis/; classtype:trojan-activity; sid:33681; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FannyWorm outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|"; fast_pattern:only; http_header; content:"/ads/QueryRecord"; http_uri; content:".html"; within:25; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:33678; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Babar outbound connection"; flow:to_server,established; content:"/bb/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSI 6.0|3B|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf/analysis/; classtype:trojan-activity; sid:33677; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"/premium-load2/BTC.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c09075245b525dfb565a257ab483b3434684ba9dd941e327ae865de8e2288043/analysis/; classtype:trojan-activity; sid:33675; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"/premium-load2/82ii.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c09075245b525dfb565a257ab483b3434684ba9dd941e327ae865de8e2288043/analysis/; classtype:trojan-activity; sid:33674; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection"; flow:established,to_server; urilen:>150; content:"Cookie|3A| disclaimer_accepted=true"; fast_pattern:only; content:"disclaimer_accepted=true"; http_cookie; content:!"?"; http_uri; content:"="; http_uri; pcre:"/^\/([a-zA-Z0-9-&+ ]+[^\/?]=){5}/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33757; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.CTB-Locker outbound connection"; flow:established,to_server; urilen:>150; content:"Cookie|3A| onion2web_confirmed=true"; fast_pattern:only; content:"onion2web_confirmed=true"; http_cookie; content:!"?"; http_uri; content:"="; http_uri; pcre:"/^\/([a-zA-Z0-9-&+ ]+[^\/?]=){5}/Ui"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33756; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" in|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33755; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" me|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33754; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" co|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33753; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" eu|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33752; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" it|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33751; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" edu|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33750; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" us|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33749; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" org|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33748; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" biz|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33747; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" net|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33746; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" com|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,0,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,4,eChar,relative; byte_test:1,=,eChar,4,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33745; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/service/related?sector="; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33822; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:!"Connection:"; http_header; content:"/report"; depth:7; http_uri; content:"_payload"; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33821; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:!"Connection:"; http_header; content:"/report"; depth:7; http_uri; content:"_image"; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33820; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:!"Connection:"; http_header; content:"/report"; depth:7; http_uri; content:"_step"; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33819; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:!"Accept:"; http_header; content:!"Connection:"; http_header; content:"/report"; depth:7; http_uri; content:"_process"; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33818; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" in|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33868; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" me|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33867; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" co|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33866; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" eu|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33865; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" it|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33864; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" edu|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33863; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" us|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33862; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" org|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33861; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" biz|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33860; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex3 initial outbound connection"; flow:to_server,established; content:"Host: "; http_header; content:" net|0D 0A|"; within:35; distance:5; fast_pattern; http_header; content:"|0D 0A 0D 0A|"; distance:0; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59e49cd21ff679582fbd65dd904ac9197c0b3d9d38de64184f67aecdd2b24f84/analysis/; classtype:trojan-activity; sid:33859; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.PwnPOS data exfiltration attempt"; flow:to_server,established; content:"From|3A| "; nocase; content:"Drone"; within:10; nocase; content:"Subject|3A| "; nocase; content:"Drone|0D 0A|"; within:100; nocase; content:"filename="; nocase; content:"syshealth.7z"; within:20; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/file/fd5c89b46f099891a7152123a546e00ec8b68a6556f70039fd6e10d67e3c090e/analysis/1425883762; classtype:trojan-activity; sid:33857; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LogPOS variant outbound connection"; flow:to_server,established; content:"?encoding="; nocase; http_uri; content:"&process="; distance:0; nocase; http_uri; content:"&track="; distance:0; nocase; http_uri; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,morphick.com/blog/2015/2/27/mailslot-pos; reference:url,www.virustotal.com/en/file/686dbe5eb148db706e48a74eba627270055ed1ba534a98d5d00690577eb42e49/analysis/; classtype:trojan-activity; sid:33854; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header; content:"oprat="; depth:6; http_client_body; content:"&uinfo="; within:10; distance:23; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; within:6; distance:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33852; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; fast_pattern:only; http_header; content:"uid="; depth:4; http_client_body; content:"&uinfo="; within:26; http_client_body; content:"&win="; distance:0; http_client_body; content:"&bits="; within:6; distance:3; http_client_body; content:"&build="; within:20; distance:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33851; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadtre variant outbound connection"; flow:to_server,established; content:"?v=2"; nocase; http_uri; content:"&p=db"; distance:0; nocase; http_uri; content:"&ip="; distance:0; nocase; http_uri; content:"&old_svrid="; fast_pattern:only; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7afc3aa4453603d6b11315c3a6a1d80fd36b42fc03f17116c92bc465680b0089/analysis/; classtype:trojan-activity; sid:33883; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Backdoor.Casper outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/css/images/_cgi/index.php"; fast_pattern:only; http_uri; content:"PREF="; http_cookie; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/daa56e7acd5fb69ecefdbf5179c5ef4776ccc41ebe7e14920f11b84678c83a00/analysis/; classtype:trojan-activity; sid:33880; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meowner runtime detection"; flow:to_server,established; content:"post.php?type=notification&machinename="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0efc3c54f61515ba7531a3207f93d95d0638151f9b4584c4897ce91bb001294e/analysis/; classtype:trojan-activity; sid:33879; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meowner runtime detection"; flow:to_server,established; content:"post.php?type=keystrokes&machinename="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0efc3c54f61515ba7531a3207f93d95d0638151f9b4584c4897ce91bb001294e/analysis/; classtype:trojan-activity; sid:33878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meowner runtime detection"; flow:to_server,established; content:"post.php?type=passwords&machinename="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0efc3c54f61515ba7531a3207f93d95d0638151f9b4584c4897ce91bb001294e/analysis/; classtype:trojan-activity; sid:33877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meowner runtime detection"; flow:to_server,established; content:"post.php?type=clipboard&machinename="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0efc3c54f61515ba7531a3207f93d95d0638151f9b4584c4897ce91bb001294e/analysis/; classtype:trojan-activity; sid:33876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tepoyx outbound connection detection"; flow:to_server,established; content:".php?id="; http_uri; content:"&ver="; within:21; distance:23; http_uri; pcre:"/\.php\?id=(\d{5}-\d{3}-\d{7}-\d{5}|0[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}1)&ver=\d{7}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bb5fc186c65880eb1528048847ad6706ce4d3dcf72f712db2df4db8bccaf022e/analysis/; classtype:trojan-activity; sid:33873; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Urahu outbound connection"; flow:to_server,established; dsize:184; content:"|B0 00 00 00 77 00 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/043ce80cb94351fda5a03c742f5ea6111c97877ed0ce49e11c61d151fc82c728/analysis/; classtype:trojan-activity; sid:33872; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection"; flow:to_server,established; urilen:>300,norm; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)"; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/^\/[A-Za-z0-9]+\.php\?[A-Za-z0-9\x2B\x2F\x3D]{300}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/65c8fa84a707c0e3c0cd5d135d35eed15e1291d3223916e4bad7e91176d04a54/analysis/; classtype:trojan-activity; sid:33893; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Xerq outbound connection"; flow:to_server,established; content:"/mathi/io/"; fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; nocase; http_header; content:"name="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7a69cf34e8259a89c12ebae7fed7bfe906590e5e12434cefbecd49588f2ed318/analysis/; classtype:trojan-activity; sid:33892; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amasages variant outbound connection"; flow:to_server,established; content:"/log/index.php"; fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; nocase; http_header; content:"text="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e17ef5ccc61aaba3b8e2e38c376f91a5408376c1a94116d46710ec8ce9634cf/analysis/; classtype:trojan-activity; sid:33891; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC WIn.Trojan.HawkEye keylogger variant outbound connection"; flow:to_server,established; content:"STOR HawkEye_"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/ab7a8e2e7ca3fb87da79774e93be4c9a7a50a6a6f6b479c4cc13dc72416895fa/analysis/; classtype:trojan-activity; sid:33886; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"KrisR"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:33885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Concbak outbound connection"; flow:established,to_server; content:"User-Agent|3A 20|Firefox.3.5"; fast_pattern:only; http_header; content:"Accept-Encoding|3A 20|identity"; http_header; content:"mode="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1/analysis/; classtype:trojan-activity; sid:33913; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Cryptofortress Decryption Software Purchase Tor Website"; flow:to_server,established; content:"Host: h63rbx7gkd3gygag.tor2web.org"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2b1f36a4c856b989a941f454fcce3a5e9670b21de105c5014450cbdaa27ed1cb/analysis/; classtype:trojan-activity; sid:33912; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Mafusc variant outbound connection"; flow:to_server,established; content:"/webpanel/connect2.php"; fast_pattern:only; http_uri; content:"JJ="; http_client_body; content:"&NN="; http_client_body; content:"&EE="; http_client_body; content:"&GG="; http_client_body; content:"&QQ="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0d8edc077940c96f585f5db423143ea4efa3c77fc45252665cdcbdd1ddca0274/analysis/; reference:url,www.virustotal.com/en/file/9903b5eb5be3e2a8c4f8e5240b74eee71580920ba2dd427d2fdb18782b9c7052/analysis/; classtype:trojan-activity; sid:33966; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Penget variant outbound connection"; flow:to_server,established; content:"v="; http_uri; content:"a="; http_uri; content:"u="; http_uri; content:"User-Agent: IE|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/668c7a22614985ae40c79928edf0b1d8423a8b33b59283995e198d24dca1ba41/analysis/; classtype:trojan-activity; sid:33933; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-CNC Win.Trojan.Tempedreve Samba probe"; flow:to_server,established; content:"|FF|SMB2"; content:"|03 01|"; distance:0; content:"|5C 00|T|00|e|00|m|00|p|00|.|00|e|00|x|00|e|00 00 00|"; within:20; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/b7ef98319be0c33e1660a0ca65eb3904c460095083e6d6eccce4ecdabea61f22/analysis/; classtype:trojan-activity; sid:33932; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Goldrv variant outbound connection"; flow:to_server,established; content:"/wp-includes/Text/Diff/Engine/engine/dlversion.php?id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1c5b2f9ea64d3de85b18570299b56f5215c45cbf77dab9c98bbcc12e62425af2/analysis/; classtype:trojan-activity; sid:33931; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vicepass outbound connection initial request to the CNC sending system information"; flow:to_server,established; content:"/index.php?data="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept:"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3999c879a255b7611e07ed9314348cddc739b59fb1c14d8a9808a0be06ea9775/analysis/; classtype:misc-activity; sid:33930; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ayuther variant outbound connection"; flow:to_server,established; content:"|00|u|00|i|00|f|00|k"; content:"|00|W|00|i|00|n|00|"; within:60; distance:80; content:"2|00|0|00|"; content:"|00|-|00|"; within:3; distance:3; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/548a5532364dded2bf7e08f68692a0b50f2626331def9bdf6152a481dc1201c4/analysis/; classtype:trojan-activity; sid:34013; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"/micro/data/index.php?micro="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34012; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"/microsoft/index.php?win="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34011; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"/microsoft/ie.php?win="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34010; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"/ex/ie.php?win="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34009; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"/44"; http_uri; content:"index.php?win="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34008; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"|3C 92 7C 92 3E 45 78 70 6C 6F 73 69 76 65|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34007; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"|3C 2A 60 21 51 40 57 23 45 34 92 2A 3E|"; depth:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34006; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"//v"; http_raw_uri; content:"index.php?win="; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 2.0.50727)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34005; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Explosive variant outbound connection"; flow:to_server,established; content:"==gKg5XI+BmK"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5/analysis/; classtype:trojan-activity; sid:34004; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Picommex outbound connection"; flow:to_server,established; content:"/susbonlmk"; fast_pattern:only ; http_uri; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; content:"fetchingid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02626be37b0f2bb0d1246da8216a29552467197487ff0724c0b463164ceb6bc7/analysis/; classtype:trojan-activity; sid:34003; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Picommex outbound connection"; flow:to_server,established; content:"/updateversion"; fast_pattern:only ; http_uri; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; content:"compid8ausd="; http_client_body; content:"&version"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02626be37b0f2bb0d1246da8216a29552467197487ff0724c0b463164ceb6bc7/analysis/; classtype:trojan-activity; sid:34002; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Picommex outbound connection"; flow:to_server,established; content:"/check_version.txt"; fast_pattern:only ; http_uri; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/02626be37b0f2bb0d1246da8216a29552467197487ff0724c0b463164ceb6bc7/analysis/; classtype:trojan-activity; sid:34001; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pwexes variant outbound connection"; flow:to_server,established; content:"/sd.php?dt=ftp"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Connection: Close"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; content:"dr="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7a7d1a2667eed09e6fb6b34fc67c3f89a86f452ecbf5f8c6b8df8c8a6e2bbc6c/analysis/; classtype:trojan-activity; sid:33997; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pwexes variant outbound connection"; flow:to_server,established; content:"/dlx.php?f=ftppd"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Connection: Close"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7a7d1a2667eed09e6fb6b34fc67c3f89a86f452ecbf5f8c6b8df8c8a6e2bbc6c/analysis/; classtype:trojan-activity; sid:33996; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Beshida outbound connection"; flow:to_server,established; content:"/seb/downloader/dl.php?"; fast_pattern:only ; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/807058e59d0c8271bfc0afae70699a85e33292182f30d1243a28b849ac5336fc/analysis/; classtype:misc-activity; sid:33994; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Insidious outbound connection"; flow:to_server,established; content:"/test/update/bin.exe"; fast_pattern:only ; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13412F4DCFF96ABD1E90825719D8B6464B8F58A730575E187D5177D3A1A50D77/analysis/; classtype:trojan-activity; sid:33993; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Insidious outbound connection"; flow:to_server,established; content:"/test/inout/out.php"; fast_pattern:only ; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13412F4DCFF96ABD1E90825719D8B6464B8F58A730575E187D5177D3A1A50D77/analysis/; classtype:trojan-activity; sid:33992; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trioptid outbound connection"; flow:to_server,established; content:"/resolve.conf"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Connection: Close"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d2cfa68d61a92f998d24a9f4b70083afcd0f468ff250d0ca532ea9da9e2f01c6/analysis/; classtype:trojan-activity; sid:33990; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trioptid outbound connection"; flow:to_server,established; content:"/update.php"; fast_pattern:only; http_uri; content:"id={"; content:"&vs="; within:37; distance:37; content:"&mdate="; within:7; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d2cfa68d61a92f998d24a9f4b70083afcd0f468ff250d0ca532ea9da9e2f01c6/analysis/; classtype:trojan-activity; sid:33989; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.ChinaZ outbound connection"; flow:established,to_server; dsize:168; content:" * "; depth:4; offset:69; content:"MHz|00|"; depth:5; offset:76; content:" MB|00|"; depth:6; offset:103; fast_pattern; content:"VIP|00|"; depth:4; offset:132; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html; classtype:trojan-activity; sid:33985; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Expilan variant outbound connection"; flow:to_server,established; content:"--__MESSAGE__ID__54yg6f6h6y456345"; content:"Content-Type: application/x-msdownload|3B| name=|22|mxtd|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/73eb2e407a95bb9001b60e18357cc53484aee7da94cc4c06a8a1760eaf2ece96/analysis/; classtype:trojan-activity; sid:34046; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eitenckay initial outbound connection"; flow:to_server,established; content:"/admin/data/member/1/index.php?page=08&enckey="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/807058e59d0c8271bfc0afae70699a85e33292182f30d1243a28b849ac5336fc/analysis/; classtype:trojan-activity; sid:34045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Exacrytion variant outbound connection"; flow:to_server,established; content:"/cryptotolarance/add.php"; fast_pattern:only; http_uri; content:"hwid="; nocase; http_uri; content:"winversion="; nocase; http_uri; content:"pswd="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/95a11858d6b385e3d7c0f65df2f209b8cf4816260af34117a955054d4b6b7512/analysis/; classtype:trojan-activity; sid:34044; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Igliveforg variant outbound connection"; flow:to_server,established; content:"/LIVE/signed.php?m="; fast_pattern:only; http_uri; content:"&u="; nocase; http_uri; content:"&v="; distance:0; nocase; http_uri; content:"&h="; distance:0; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6083bdfc82aacf53f91b588a8b599f759fadcbd198fe66c095644f55dba44faa/analysis/; classtype:trojan-activity; sid:34042; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Igliveforg variant initial outbound connection"; flow:to_server,established; urilen:14,norm; content:"/LIVE/HOST.php"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6083bdfc82aacf53f91b588a8b599f759fadcbd198fe66c095644f55dba44faa/analysis/; classtype:trojan-activity; sid:34041; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banklaed variant outbound connection"; flow:to_server,established; content:"/clientes.php?"; depth:14; http_uri; content:"A1="; within:4; http_uri; content:"&A2="; distance:0; http_uri; content:"&A3="; distance:0; http_uri; content:"&Campo1="; distance:0; http_uri; content:"&Campo2="; distance:0; http_uri; content:"&Campo3="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7cefdb99d1c626d8a3f2dcc0424a37bc30957a07aff69a6c94336693bb4d7bcc/analysis/; classtype:trojan-activity; sid:34039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://pinterest.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34038; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://twitter.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34037; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: http://www.bing.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34036; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: http://www.msn.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34035; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://aol.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34034; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://yahoo.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34033; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://google.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34032; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: http://youtube.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34031; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex4 initial outbound connection"; flow:to_server,established; urilen:1; content:"Referer: https://facebook.com/|0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A 0D 0A|"; byte_extract:1,4,lessthanChar,relative; byte_test:1,=,lessthanChar,7,relative; byte_extract:1,0,lChar,relative; byte_test:1,=,lChar,15,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a/analysis/; classtype:trojan-activity; sid:34030; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/pki/mscorp/crl/msitwww2.crl"; fast_pattern:only; http_uri; content:"Check|3A 20|"; http_header; content:"User-Agent: Microsoft-CryptoAPI/6.3|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c37a0c45fbec9dca672eb82e83c5bf006f5f17f345d1d4b95cce08e63015132d; classtype:trojan-activity; sid:34029; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bruecimig variant outbound connection"; flow:to_server,established; content:"/adminke/"; http_uri; content:"1="; depth:2; http_client_body; content:"&300=0&303=0&304=0&305=0&"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/13221d6f3f8035caa4b97a9c1bd336b44292ed5716f36d7e4840a1b498171854/analysis/; classtype:trojan-activity; sid:34028; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Endstar variant outbound connection"; flow:to_server,established; content:"/updata.php?t="; http_uri; content:"m="; within:2; distance:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/20cb36f3f9ac51b0cdd826008902923a469e1b8e5bcd1e64eca7457181a8990c/analysis/; classtype:trojan-activity; sid:34026; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Endstar variant outbound connection"; flow:to_server,established; content:"/list.rar"; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 5.01|3B| Windows NT 5.0)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/20cb36f3f9ac51b0cdd826008902923a469e1b8e5bcd1e64eca7457181a8990c/analysis/; classtype:trojan-activity; sid:34025; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NewPos outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0(compatible|3B| MSIE 7.0b|3B| Windows NT 6.0)|0D 0A|"; fast_pattern:only; http_header; content:"cs="; depth:3; http_client_body; content:"p="; within:15; http_client_body; content:"m="; within:200; http_client_body; content:"v="; within:20; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6be45edda8a4295eca613f2355464617f0467c7e06f3605d80719f92e02d2877/analysis/; classtype:trojan-activity; sid:34052; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Nepigon variant outbound connection"; flow:to_server,established; content:"/lightserver/Default.aspx"; depth:25; fast_pattern; http_uri; content:"|0D 0A|Msg|3A| "; http_header; content:"name"; distance:0; http_header; content:"delay"; distance:0; http_header; content:"Server1"; distance:0; http_header; content:"Ver"; distance:0; http_header; content:"Proxy"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/42b8898c07374b1fc6a4a33441aadf10e47f226d9d3bf3368a459c0e221dff73/analysis/; reference:url,www.virustotal.com/en/file/721676d529a0c439594502f1d53fec697adc80fa1301d2bf20c2600d99ceed4e/analysis/; classtype:trojan-activity; sid:34050; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.EvilBunny variant outbound connection"; flow:to_server,established; content:"/images/php/test.php?"; http_uri; content:"rec=11206-01"; within:12; fast_pattern; http_uri; content:"u="; within:3; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c6a182f410b4cda0665cd792f00177c56338018fbc31bb34e41b72f8195c20cc/analysis/; classtype:trojan-activity; sid:34049; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBPasswordStealer variant outbound connection"; flow:to_server,established; content:"/index.php?"; http_uri; content:"action=add"; fast_pattern; http_uri; content:"&username="; distance:0; http_uri; content:"&password="; distance:0; http_uri; content:"&app="; distance:0; http_uri; content:"&pcname="; distance:0; http_uri; content:"&sitename="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be783a511049d8e5006cac011/analysis/; classtype:trojan-activity; sid:34047; rev:1;)
alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|"; fast_pattern:only; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Erotimpact variant outbound connection"; flow:to_server,established; content:"/index.php?c="; fast_pattern; http_uri; content:"&r="; distance:0; http_uri; content:"&u=1"; distance:0; http_uri; content:"&t="; within:3; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/12072db321799801bbba1c4999cc1f4c477cc7697c9301c7370a3c823ad16ccc/analysis/; classtype:trojan-activity; sid:34132; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/avisos.php?IDMAQ="; fast_pattern:only; http_uri; content:"&DATA="; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/38d15b78067b137ab750cb01024d5327947a10ae38a6baa01e6819402b2383ed/analysis/; classtype:trojan-activity; sid:34130; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WIntruder outbound connection"; flow:to_server,established; content:"/image.php?id="; http_uri; content:"&act=1"; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2fcc46e4e34b77205adcd0023dd17a4bf4d54d23aafd0b0efcd3627511f392ed/analysis/; classtype:trojan-activity; sid:34128; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Zupdax variant outbound connection"; flow:to_server,established; content:"/index.php?a=getinfo"; http_uri; content:"User-Agent|3A| Agent"; http_header; content:"CPU%3A"; http_client_body; content:"MHZ"; distance:0; http_client_body; content:"GBmem%3A"; distance:0; http_client_body; content:"MB&ip=127%2E0%2E0%2E1&rem=hi&sid="; distance:0; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4f8905c6e60ff76041603401ddb1e10dd137ed1755828c6ed93b1b65f033c7eb/analysis/; classtype:trojan-activity; sid:34117; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacOS.Trojan.Wirelurker variant outbound connection"; flow:to_server,established; content:"/app/app.php?sn="; http_uri; content:"pn="; distance:0; http_uri; content:"mn="; distance:0; http_uri; content:"pv="; distance:0; http_uri; content:"os="; distance:0; http_uri; content:"pt="; distance:0; http_uri; content:"msn="; distance:0; http_uri; content:"yy="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2ff598efa7fadd4044d97fe1685034a02f3d414bd29a57722889c5915692b662/analysis/; reference:url,www.virustotal.com/en/file/f2a86a80a094bb51a53f1766b1dd7f8e2c8f1fe6f53c96a1184ea81c902ca095/analysis/; classtype:trojan-activity; sid:34116; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacOS.Trojan.Wirelurker variant outbound connection"; flow:to_server,established; content:"/mac_log/?appid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2ff598efa7fadd4044d97fe1685034a02f3d414bd29a57722889c5915692b662/analysis/; reference:url,www.virustotal.com/en/file/f2a86a80a094bb51a53f1766b1dd7f8e2c8f1fe6f53c96a1184ea81c902ca095/analysis/; classtype:trojan-activity; sid:34115; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent beacon reply attempt"; flow:to_client,established; file_data; content:"#-START-#"; depth:9; content:"#-END-#"; distance:0; pcre:"/#-START-#([A-Za-z0-9+\x2f]{4})*([A-Za-z0-9+\x2f]{2}==|[A-Za-z0-9+\x2f]{3}=)?#-END-#/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/37b6eda4a259fa4b653ab557bda366c571824fa16686ae6a3eef9140387b0237/analysis/; classtype:trojan-activity; sid:34113; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chrozil variant outbound connection"; flow:to_server,established; content:"/novo/A.php"; http_uri; content:"A=Chrome%3A"; depth:11; http_client_body; content:"%0D%0A%0D%0AFilezilla%3A%"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/118ac7571acc17e2b7a0ce6e7314095dd3d8c6d6365128d2d55f5ea05eb631f1/analysis/; classtype:trojan-activity; sid:34111; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scarsi variant outbound connection"; flow:to_server,established; content:"/topic.php"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:"|00|"; depth:1; offset:1; http_client_body; content:"|00|-|00|"; distance:0; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/97f915ea23eb08cb0a18530f30430afc467bb080108d9ea2176112a1f6b82765/analysis/; classtype:trojan-activity; sid:34108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Punkey outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0|28|compatible|3B| MSIE 7.0b|3B| Windows NT 6.0|29 0D 0A|"; fast_pattern:only; http_header; content:"cs="; depth:3; http_client_body; content:"&p="; distance:0; http_client_body; content:"&m="; distance:0; http_client_body; content:"&v="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3928e7352daa88d1b5480e96173e2f3e3b1e89ad0a94cced2fb3483a9b0a5d44/analysis/; classtype:trojan-activity; sid:34161; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"MALWARE-CNC MacOS.Backdoor.Xslcmd outbound connection"; flow:to_server,established; content:"compose.aspx?s="; fast_pattern:only; http_uri; content:"Accept-Language: zh-cn"; http_header; content:"Referer: http://www.appleupdate.biz/windows/cartoon"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1db30d5b2bb24bcc4b68d647c6a2e96d984a13a28cc5f17596b3bfe316cca342/analysis/; classtype:trojan-activity; sid:34155; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypvault outbound connection"; flow:to_server,established; content:"/p.vlt"; fast_pattern:only; http_uri; content:"Host:"; http_header; content:".onion.city"; within:40; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c1d0513317ff36763e3919bfcba138e3ee2fbe301799cad62478c1db6fb234fb/analysis/; classtype:trojan-activity; sid:34143; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_client,established; content:"|00 DE C5 45 99 14 1E F5 7E 56 78 DF 23 CE 8A 12|"; fast_pattern:only; content:"LvtfOWStYYHNbdiE15aNsOyg"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:34140; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Downloader.Netkrypt inbound response"; flow:to_client,established; file_data; content:"<config"; content:"<interval"; distance:0; content:"<timeout"; distance:0; content:"<urls"; distance:0; content:"<country"; distance:0; content:"<tasks"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bcb6337f4e4198048d6615dac9ee9f07f20d0f5f4b07ce11a2b52e05c1ac8869/analysis/; classtype:trojan-activity; sid:34138; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/5475615.png"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6d897527f2f741c3b3ba7a6e56ddf1aa4782f902fc4a4ed692416447951f410a/analysis/; classtype:trojan-activity; sid:34183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/5484831.png"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6d897527f2f741c3b3ba7a6e56ddf1aa4782f902fc4a4ed692416447951f410a/analysis/; classtype:trojan-activity; sid:34182; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/tmp/lo.jpg"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6d897527f2f741c3b3ba7a6e56ddf1aa4782f902fc4a4ed692416447951f410a/analysis/; classtype:trojan-activity; sid:34181; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/upload/module"; http_uri; content:"build.tgz"; within:9; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34263; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34262; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34261; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.AAEH variant outbound connection"; flow:to_server,established; urilen:<15; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)"; fast_pattern:only; content:"Host: "; nocase; http_header; content:"|3A|"; within:16; http_header; content:!"Referer: "; nocase; http_header; content:!"Accept"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0ccade380fd3a9ef7635e5c4e54b82c4ccd434c0bc3bbf76af3a99d744a1c5e7/analysis/; classtype:trojan-activity; sid:34246; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Yebot variant outbound connection"; flow:established,to_server; content:"some_magic_code1"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/4fb6e9c2279f059262a2c419b74bbf0cf4ecb0fceb8cbb5d44f65b6a588d0734/analysis/; classtype:trojan-activity; sid:34223; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nanocore variant outbound connection"; flow:to_server,established; content:"/NanoStats/NanoStats.php"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"Username="; http_client_body; content:"FileName="; distance:0; http_client_body; content:"Status="; distance:0; http_client_body; content:"ClientGUID="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0baa57e91deedf732da0edb2e4750006660e9fb4c6ba4be170f92031b8bc0e28/analysis/; classtype:trojan-activity; sid:34219; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Aytoke variant outbound connection"; flow:to_server,established; content:"/u/up.php"; http_uri; content:"User-Agent: HTTP|0D 0A|"; http_header; content:"boundary=53416846135184646"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0e0a7056024c00f95470a4e56ee8a2f67c717414ad38c28f30476c0462822e4f/analysis/; classtype:trojan-activity; sid:34217; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FighterPOS variant outbound connection"; flow:to_server,established; content:"/BrFighter/bot/"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d2fcc755406c8d3c773a4aecd0284d32747776a51f9bfd9297badcbc62a0e1e4/analysis/; classtype:trojan-activity; sid:34216; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Capimac variant outbound connection"; flow:to_server,established; urilen:<23; content:"x-shockwave-falsh"; nocase; http_header; content:"Mozilla/4.0 (compatible|3B|MSIE 8.0|3B|Windows NT 5.1|3B|Trident/4.0)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f491ce57548290f05c4d3b9796eeb6247d8bd69e13b1a00bdaafbe89f1815105/analysis/; classtype:trojan-activity; sid:34214; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/raw.php?i=hcitN3Lt"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b4512bb3f68521a0c52e6e351c235616b1379c82987ed8022b185cf838acc6c5/analysis/; classtype:trojan-activity; sid:34283; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/raw.php?i=ZTdFDHX6"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b4512bb3f68521a0c52e6e351c235616b1379c82987ed8022b185cf838acc6c5/analysis/; classtype:trojan-activity; sid:34282; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection"; flow:to_server,established; content:"/5551872.png"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b4512bb3f68521a0c52e6e351c235616b1379c82987ed8022b185cf838acc6c5/analysis/; classtype:trojan-activity; sid:34281; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection"; flow:to_server,established; urilen:>300; content:"/state1.php?"; depth:12; nocase; http_uri; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; pcre:"/\/state1\.php\?[A-Za-z0-9\x2B\x2F\x3D]{300}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4/analysis/; classtype:trojan-activity; sid:34280; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Klogwjds variant outbound connection"; flow:to_server,established; content:"/w.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla|0D 0A|"; http_header; content:"maxv="; http_client_body; content:"minv="; within:5; distance:2; http_client_body; content:"Build|3A|"; within:6; distance:2; http_client_body; content:"SP|3A|"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e499d455a6560974bea8131f85fa93815999ffc3675d78b3bde5e3cb69865ea1/analysis/; classtype:trojan-activity; sid:34319; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; urilen:<130; content:".php?"; nocase; http_uri; content:"|3D|"; within:1; distance:1; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase; http_header; content:!"|0D 0A|Accept-"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; content:"|3D|"; depth:2; offset:1; http_client_body; pcre:"/^[a-z]\x3d[a-f\d]{80,140}$/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/aadd_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34317; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/gget_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/flupdate/"; http_uri; content:".html"; within:7; http_uri; pcre:"/\/flupdate\/\d\.html/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/all_file_info1.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&user="; distance:0; http_uri; content:"&file="; distance:0; http_uri; content:"&type="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/add_tree.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34313; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/get_tree.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34312; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/"; http_uri; content:"_flash"; within:12; http_uri; content:".php?"; within:15; http_uri; content:"name="; distance:0; http_uri; content:"&serial="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34311; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/add_user.php?name="; http_uri; content:"&user="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/products/file_order"; http_uri; content:".php?"; within:8; http_uri; content:"name="; distance:0; http_uri; content:"&path="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34309; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/products/fupdates.php?"; http_uri; content:"account="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34308; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/get_status.php?name="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Simda variant outbound connection"; flow:to_server,established; urilen:>150; content:"/?"; depth:2; http_uri; content:"="; within:1; distance:2; http_uri; content:"=="; distance:0; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:2.0b8pre) Gecko/20101114 Firefox/4.0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"Referer"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/00bd4109e8a8d51bb0e46fcd491a9170741688213817f1dec106245cc1f8f09f/analysis/; classtype:trojan-activity; sid:34297; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Simda variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Trident/4.0|3B| .NET CLR 2.0.50727|3B| .NET CLR 1.1.4322|3B| .NET CLR 3.0.04506.590|3B| .NET CLR 3.0.04506.648|3B| .NET CLR 3.5.21022|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/00bd4109e8a8d51bb0e46fcd491a9170741688213817f1dec106245cc1f8f09f/analysis/; classtype:trojan-activity; sid:34296; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kraken outbound connection"; flow:to_server,established; content:"/idcontact.php?"; http_uri; content:"&steam="; within:35; http_uri; content:"&origin="; within:10; http_uri; content:"&webnavig="; within:12; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34292; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Plez outbound connection"; flow:to_server,established; content:"|7E 7E|"; depth:2; offset:8; http_client_body; content:"|EA|"; depth:1; offset:84; http_client_body; content:"|7E 7E 7E|"; depth:3; offset:85; http_client_body; content:"|7E 7E 7E|"; depth:3; offset:89; http_client_body; content:"|7E|"; depth:1; offset:75; http_client_body; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT"; fast_pattern; http_header; content:"|3B| SV1"; distance:3; content:".php"; http_uri; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; pcre:"/[0-9a-fA-F]{8}[a-z]{6}.php/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2c10918f898220fe427b66d89dc8c4ca078e2de17827a64eb15b14a92e251c35/analysis/; classtype:trojan-activity; sid:34290; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Plez outbound connection"; flow:to_server,established; content:"addr.asp"; fast_pattern:only ; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT"; http_header; content:"|3B| SV1"; distance:3; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2c10918f898220fe427b66d89dc8c4ca078e2de17827a64eb15b14a92e251c35/analysis/; classtype:trojan-activity; sid:34289; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mudrop variant outbound connection"; flow:to_server,established; content:"/v1/count.asp?mac="; fast_pattern:only; http_uri; content:"&ver="; http_uri; content:"&os="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4bb9ab08ec20a0331a08aee894aadea81175e70619732c2a3b79e4bab398ed92/analysis/1395425759/; classtype:trojan-activity; sid:34286; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Cryptolocker variant inbound connection"; flow:to_client,established; ssl_state:server_hello; content:"|16|"; depth:1; content:"|00 EA A3 3C B6 6E 62 16 33|"; within:9; distance:108; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/d94e68a2d43a373808c56964259ea020d39781aa71628672ecf3240f59fdcf03/analysis/; classtype:trojan-activity; sid:34329; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bedepshel variant outbound connection"; flow:to_server,established; content:"?action="; nocase; http_uri; content:"&pubid="; distance:0; nocase; http_uri; content:"&subid="; distance:0; nocase; http_uri; content:"&systemhash="; distance:0; nocase; http_uri; content:"&ver="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/34c831b33621d869fe9ae6b0ecd816476d4bec59ff5ad6123cbce7706b2b93ae/analysis/; classtype:trojan-activity; sid:34327; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection"; flow:to_server,established; content:"MODE #purgatorio +k 25679 +s"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/4792690be2d81c69d8618790a42a9abf6c1c7f5bfde18d5f32fd78f29449e442/analysis/; classtype:trojan-activity; sid:34326; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"MALWARE-CNC Win.Trojan.Sanhotan variant outbound connection"; flow:to_server,established; content:"MODE #Ocultismo +k 25679 +s"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/4792690be2d81c69d8618790a42a9abf6c1c7f5bfde18d5f32fd78f29449e442/analysis/; classtype:trojan-activity; sid:34325; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Siromost variant outbound connection"; flow:to_server,established; content:"/help24/java/read.php?id="; depth:25; http_uri; content:"&file="; within:6; distance:40; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4b44f3b2644278620283953593072306aa9e15693a3f2de5f38f61bfa46d1517/analysis/; classtype:trojan-activity; sid:34324; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fulairo variant outbound connection"; flow:to_server,established; content:"/asa/index.php?secue="; depth:21; http_uri; content:"&pro="; within:6; distance:4; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9a0349c3e843a0a43db2fb260f7b4a8e1ec8bf0b99dd62d1dfb3f85e1d7bcdf2/analysis/; classtype:trojan-activity; sid:34323; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Farfli outbound connection"; flow:to_server,established; content:"GET /php.php"; depth:12; content:"|0D 0A|User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1e31d6d9a9b0280d56dd9fb7de551d595422bf68ba9176da7cc20761f4d87f8a/analysis/; classtype:trojan-activity; sid:34322; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cheprobnk variant outbound connection"; flow:to_server,established; content:".php?plug="; http_uri; content:"&GBS="; within:5; distance:3; http_uri; content:"&SYS="; distance:0; http_uri; content:"&USERPC="; distance:0; http_uri; content:"&AVS="; distance:0; http_uri; content:"&NAV="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/123a2a462fadd7667bf4fc9c824807c51ecc8527ec4454efc3cdf756912e02f0/analysis/; classtype:trojan-activity; sid:34347; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Backspace outbound connection"; flow:established,to_server; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 6.0|3B| Win32|29 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|HOST|3A| "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c50a48ef605b1f57f37afb883d643d69233cf506065d2bf806dae639cac8c264/analysis/; classtype:trojan-activity; sid:34346; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Cybergate outbound connection"; flow:to_server,established; dsize:<22; content:"myversion|7C|"; depth:10; content:"|2E|"; within:2; distance:1; content:"|0D 0A|"; depth:10; offset:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.cyber-planet.org/products/cybergate-excel/; classtype:trojan-activity; sid:34339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.Win32.Chkngrbot.A outbound connection"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" attack (ReferenceId|3A| "; within:128; distance:5; nocase; content:") (Host|3A| "; within:32; distance:1; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/596b0224551fab492e74d64065a2399cea44e15f9bef64bbeeccda2d2bc7b9d6/analysis/; classtype:trojan-activity; sid:34338; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.Win32.Chkngrbot.A outbound connection"; flow:to_server,established; content:"MODE "; depth:5; nocase; content:" +piwksT-x|0D 0A|"; within:46; distance:20; nocase; pcre:"/MODE\sd?u?n?\x7b[AU]\x5c[LD]\x5c(86|64)\x5c\w{0,8}\x5c\w{2,16}\x7d[a-z]{8}\s\x2BpiwksT\x2Dx\x0D\x0A/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/596b0224551fab492e74d64065a2399cea44e15f9bef64bbeeccda2d2bc7b9d6/analysis/; classtype:trojan-activity; sid:34337; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:19; content:"/arquivo/cookie.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34368; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:16; content:"/arquivo/vrs.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34367; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Beebone outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|"; fast_pattern:only; content:"GET"; pcre:"/GET \/[a-z]{8,12}\?[a-z] HTTP\/1.1/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/b06c6ac1174a6992f423d935ccba6f34f107b6591768a743d44d66423312d33a/analysis/; classtype:trojan-activity; sid:34366; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mantal variant outbound connection"; flow:to_server,established; content:"|3C|Information|3E 0D 0A 3C|id|3E|"; depth:19; http_client_body; content:"|3C 2F|Version|3E 0D 0A 3C|profile|3E 0D 0A 3C|UserDisplayName|3E|"; distance:0; http_client_body; content:"|3C 2F|OutgoingUseAuthentication|3E 0D 0A 3C|OutgoingLoginName|3E|"; fast_pattern:only; http_client_body; content:"|3C 2F|profile|3E 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6c74cb120e3bfa6976aa9cce8a63c114afe7e6515c4409bf7b81c69bf37fd06b/analysis/; classtype:trojan-activity; sid:34362; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| rv:7.0.1) Gecko/20100101 Firefox/7.0.1|0D 0A|"; fast_pattern:only; http_header; content:"Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.8,*/*|3B|q=0.9|0D 0A|"; http_header; content:"Accept-Language: en-us,en|3B|q=0.5|0D 0A|"; distance:0; http_header; content:"Accept-Encoding: gzip, deflate|0D 0A|"; distance:0; http_header; content:"Accept-Charset: ISO-8859-1,utf-8|3B|q=0.7,*|3B|q=0.7|0D 0A|"; distance:0; http_header; content:"Connection: close|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56a1b1de82f785a43/analysis/1430849540/; classtype:trojan-activity; sid:34462; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection"; flow:to_server,established; content:"POST / HTTP/1.0|0D 0A|Host: "; depth:28; content:"Content-type: application/x-www-form-urlencoded|0D 0A|Content-Length: "; within:100; content:"|0D 0A 0D 0A 0F 0F 09|"; within:25; fast_pattern; content:!"User-Agent: "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f8321069212e0cd67a8/analysis/1430996623; classtype:trojan-activity; sid:34461; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Mozibe variant outbound connection"; flow:to_server,established; content:"/php/zombieHandShake.php"; fast_pattern:only; http_uri; content:"hash="; http_client_body; content:"&sysInfo="; distance:0; http_client_body; content:"|20 2D 20|"; distance:0; http_client_body; content:"&lastConnection="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f1d46bff496c9d520d68fe2c1ba45b7edf8604f68305f9ad7698db89f948d299/analysis/; classtype:trojan-activity; sid:34460; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pvzin variant outbound connection"; flow:to_server,established; content:"/js/jquery/default.aspx"; http_uri; content:"Content-Disposition|3A| inline|3B| Comp=KAKTOOS|3B| User=Send|3B| Op=sos|3B| var= 0.0.3 |3B|"; fast_pattern:only; http_header; content:"User-Agent|3A| Mozila|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2e32c6c9179750df7f1ab35536f09c6b09c73faccea7325fe5c79b5087f5dd6f/analysis/; classtype:trojan-activity; sid:34459; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tendrit variant outbound connection"; flow:to_server,established; content:"/favicon?"; http_uri; content:"="; within:6; distance:1; http_uri; content:"&Done"; distance:0; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3d6ea8b12778b6714648e5c33ee11f7cc720ccdc9803f713229b10ccef23e84c/analysis/; classtype:trojan-activity; sid:34458; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"sname="; depth:6; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/poppxr/popi.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Odlanor information exfiltration attempt"; flow:to_server,established; content:"/r.php?m=2&v="; fast_pattern:only; http_uri; content:"&os="; nocase; http_uri; content:"&c="; within:50; nocase; http_uri; content:"&u="; within:50; nocase; http_uri; content:"Connection: close|0D 0A 0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/32c59db32252e9eafc4a21bbb0cdacf4020da9f4c43950c6bf18a98b2092d5d7/analysis/; classtype:trojan-activity; sid:34446; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kriptovor variant outbound connection"; flow:to_server,established; content:"/loader.php?name="; depth:17; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4FB71EAB872476B7AC8B66401EE28F88602902F737A7163C5CF5C6B099DEDED0/analysis/; classtype:trojan-activity; sid:34476; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Nirunte variant outbound connection"; flow:to_server,established; urilen:12,norm; content:"/sp/info.php"; fast_pattern:only; http_uri; content:"sid="; depth:4; http_client_body; content:"929%2E"; distance:0; http_client_body; content:"appliction"; distance:0; http_client_body; content:"sidfile"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/05912af9f0f569f1a80a5d0799c5a85d61653ab5b3ac05afaecd49f994b8a411/analysis/; classtype:trojan-activity; sid:34470; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Nirunte variant outbound connection"; flow:to_server,established; content:"/sp/command.php?sid="; depth:20; http_uri; content:"929."; distance:0; http_uri; content:"&compname"; distance:0; http_uri; content:"user"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/05912af9f0f569f1a80a5d0799c5a85d61653ab5b3ac05afaecd49f994b8a411/analysis/; classtype:trojan-activity; sid:34469; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octet-stream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header; content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29891; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Keylogger inbound connection"; flow:to_client,established; file_data; content:"787**KB"; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-0497; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:29616; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Keylogger outbound connection"; flow:to_server,established; content:"/sizemore/css5.php?a"; depth:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-0497; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:29615; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Renos.FH variant outbound connection"; flow:to_server,established; content:"|2F|help|2F|hc|2F|images|2F|chrome32|2E|gif"; nocase; http_uri; content:"image-big-library|2E|com"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:url,www.virustotal.com/#/file/3b4209251d36994d7efce922cbb8a4fd/detection; classtype:trojan-activity; sid:19803; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalexis variant outbound connection"; flow:to_server,established; content:"/random/run.jpg"; fast_pattern:only; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/64b213090ee1e1b05395e4cc71e0cd85ad3eac8adf24c0c61b114ad8fd22b34c/analysis/; classtype:trojan-activity; sid:34541; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dalexis variant outbound connection"; flow:to_server,established; content:"/language/run.jpg"; fast_pattern:only; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/64b213090ee1e1b05395e4cc71e0cd85ad3eac8adf24c0c61b114ad8fd22b34c/analysis/; classtype:trojan-activity; sid:34540; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; dsize:16; content:"|00 00 00 11 D0 00 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MalPutty variant outbound connection"; flow:to_server,established; content:"/index.php?record=c3NoOi8v"; fast_pattern:only; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d3e866e5bf18f2d9c667563de9150b705813e03377312b6974923f6af2e56291/analysis/; classtype:trojan-activity; sid:34491; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nalodew variant outbound connection"; flow:to_server,established; content:"Connection|3A|---|3A|www|3A|---|3A|NEW"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/53a6a73efc57ffd75a8a7d4c7abe635a1078ec2443a0f2f291488daa3573eb34/analysis/; classtype:trojan-activity; sid:34489; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mathanuc outbound connection"; flow:to_server,established; content:"/wp-content/upgrade/kk.php?"; fast_pattern:only; http_uri; content:"ud="; http_uri; content:"iud="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/299cac70dd0ab4c6047008689798cdcdea169acb865c6a0f9b529ba399e1e80a/analysis/; classtype:trojan-activity; sid:34581; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zinnemls variant outbound connection"; flow:to_server,established; urilen:12,norm; content:"/wab/wab.php"; fast_pattern:only; http_uri; content:"tipo=&tip=WB"; depth:12; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7d8888933bd616ab59229d8ffc11b6519949e7b7ed72ea55e0b55ecc2e620509/analysis/; classtype:trojan-activity; sid:34572; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC MacOS.Trojan.MacVX outbound connection"; flow:to_server,established; content:"/?dp="; http_uri; content:"&cb="; within:4; distance:50; http_uri; pcre:"/\x2f\x3fdp\x3d[A-Z0-9]{50}&cb\x3d[0-9]{9}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c0a0c4ca87d1f6b4be7f5f549fce531fbf0df871cc9f1eb38aa12a8273ad7e81/analysis/1432225808/; classtype:trojan-activity; sid:34567; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC possible Conficker.C HTTP traffic 2 "; flow:established,to_server; content:"Accept-Language|3A| en-GB,es-US|3B|q=0.5"; reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity; sid:15452; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC possible Conficker.C HTTP traffic 1 "; flow:established,to_server; content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5"; reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity; sid:15451; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/popkx3/popi.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d6beeae945d570d98784bdea68310ddef17f4a03534632dec48c691677c67402/analysis/; classtype:trojan-activity; sid:34622; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.Enkalogs outbound connection"; flow:to_server,established; file_data; content:"[Enter]|0D 0A|"; content:"[Enter]|0D 0A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7ba2d2ae6c44c1e13cfe04b45074bb35d34a688c9fae3b8e4b0259e53e782495/analysis/; classtype:trojan-activity; sid:34614; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dujfudg outbound connection"; flow:to_server,established; content:"/img/seperator?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"action="; http_uri; content:"run="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a8f6371ff921ffba35722ee508b3b545e07a87f2402b0dfc67a9b1acaed561cf/analysis/; classtype:trojan-activity; sid:34611; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"MALWARE-CNC Win.Trojan.Kayfcbk outbound connection"; flow:to_server,established; content:"S|00|E|00|L|00|E|00|C|00|T|00| |00|i|00|m|00|g|00| |00|F|00|R|00|O|00|M|00| |00|d|00|b|00|o|00|.|00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00| |00|W|00|H|00|E|00|R|00|E|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5e9f38b53cdf5381c4f8c4b2a7fcccbea6efe7741034d2b809ca823a2f32b0ee/analysis/; classtype:trojan-activity; sid:34610; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.NitLove variant outbound connection"; flow:to_server,established; content:"User-Agent: nit_love"; fast_pattern:only; http_header; content:"/derpos/gateway.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/136c0e357dfa7d2497e937cc256ad58e063b70cd413d262e3e3dc1da8b0bc9cc/analysis/; classtype:trojan-activity; sid:34609; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Punkey variant outbound connection"; flow:to_server,established; content:"/h4g2v34hk/"; depth:11; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e0c4696093c71a8bbcd2aef357afca6c7b7fbfe787406f6797636a67ae9b975d/analysis/; classtype:trojan-activity; sid:34608; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teqimp outbound connection"; flow:to_server,established; content:"/images/image.gif?"; http_uri; content:"b8a34ad="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4742abba9f94176cf4aa40edfb836c0657ffcc698fd67700e2569edea1469182/analysis/; classtype:trojan-activity; sid:34601; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"MALWARE-CNC Win.Trojan.Kjdoom outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|SiR-DoOoM"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8d2cc4c32d19c6eaa43e92679e8d8c66b866027f7c21583f858774f2f0848068/analysis/; classtype:trojan-activity; sid:34600; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1010 (msg:"MALWARE-CNC Win.Trojan.Kjdoom outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|KJw0rm"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8d2cc4c32d19c6eaa43e92679e8d8c66b866027f7c21583f858774f2f0848068/analysis/; classtype:trojan-activity; sid:34599; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1991 (msg:"MALWARE-CNC Win.Trojan.Kjdoom outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|XKSHHACKERX"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/362454c019d71539287d50d763260dc586c0a8834952cf90e8e58341cd668550/analysis/; classtype:trojan-activity; sid:34598; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Atrax variant outbound connection"; flow:to_server,established; content:"/auth.php?a="; fast_pattern:only; http_uri; content:"h="; depth:2; http_client_body; content:"&m=y"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0bc2db99f5277ddc89409a8c487298df5dbf34108146c58885ad0c804422c27f/analysis/; classtype:trojan-activity; sid:34597; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Atrax variant outbound connection"; flow:to_server,established; content:"/auth.php?a="; fast_pattern:only; http_uri; content:"h="; depth:2; http_client_body; content:"&m=n"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0bc2db99f5277ddc89409a8c487298df5dbf34108146c58885ad0c804422c27f/analysis/; classtype:trojan-activity; sid:34596; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Flactionbot outbound connection"; flow:to_server,established; content:"/img/new/n.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/43861501e7e7bb546b55a9323d1cff132dddb750b3e86823af7ea08d45357e28/analysis/; classtype:trojan-activity; sid:34637; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Flactionbot outbound connection"; flow:to_server,established; content:"/img/new/ref.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/43861501e7e7bb546b55a9323d1cff132dddb750b3e86823af7ea08d45357e28/analysis/; classtype:trojan-activity; sid:34636; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Crypaura variant outbound connection"; flow:to_server,established; urilen:<14; content:"script.php"; depth:14; offset:3; http_uri; content:"number=128"; http_client_body; content:"&id="; distance:0; http_client_body; content:"&pc="; distance:0; http_client_body; content:"&tail=.id"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/78854da147fc6f7327448a807de6f102b6799a0e59d4c66cf7eadf8690515ef9/analysis/; classtype:trojan-activity; sid:34624; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Logreaz variant outbound connection"; flow:to_server,established; content:"ReaLLogger v"; nocase; content:"by Van32"; within:12; nocase; metadata:impact_flag red, policy security-ips drop, service ftp-data; reference:url,virustotal.com/en/file/b448f97efa38411c4d4c6755d050a34e0f335063dbb84355cc55bd994a3b0d21/analysis/; classtype:trojan-activity; sid:34871; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Logreaz variant outbound connection"; flow:to_server,established; content:"User-Agent: Uploador"; fast_pattern:only; http_header; content:"name="; nocase; http_client_body; content:"filename="; distance:0; nocase; http_client_body; content:"Log_"; within:5; nocase; http_client_body; content:"ReaLLogger v"; distance:0; nocase; http_client_body; content:"by Van32"; within:12; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b448f97efa38411c4d4c6755d050a34e0f335063dbb84355cc55bd994a3b0d21/analysis/; classtype:trojan-activity; sid:34870; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XTalker outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent|3A 20|Testing|0D 0A|"; fast_pattern:only; content:"/docs/kernel32.dat"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e335585810975e43c1a489001d8c7e2f59c0d80a0f787b9f97ae0ec92ed0dd8d/analysis/; classtype:trojan-activity; sid:34869; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/vbulletin/post.php?qu="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Xobtide outbound connection"; flow:to_server,established; content:"/index.html"; http_uri; content:"editbox=Darks123!@#"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/40ada5e49ebd1fea39087c1d932398fd2caf962634b982ae9e9acacdf920bc37/analysis/; classtype:trojan-activity; sid:34867; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Saibipoc outbound connection"; flow:to_server,established; content:"/wp-admin/maint/hat.php"; fast_pattern:only; http_uri; content:"name="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d1e1747c4a4f24c6dc4f15fa173520fa9fefa2e4213a9f63349589b5bcbf0e7/analysis/; classtype:trojan-activity; sid:34866; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Saibipoc outbound connection"; flow:to_server,established; content:"/wp-admin/maint/push.php"; fast_pattern:only; http_uri; content:"ff="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d1e1747c4a4f24c6dc4f15fa173520fa9fefa2e4213a9f63349589b5bcbf0e7/analysis/; classtype:trojan-activity; sid:34865; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection"; flow:to_server,established; content:"|05|i|06|e|0E|k|19|7T$TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTeeee"; fast_pattern:only; http_client_body; content:"/dilly/"; depth:8; nocase; http_uri; content:"index6.php"; within:10; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6fa0388fc7bf56600d5b0bc1b0651b3ecc927377250d0156bc6538bd032e551a/analysis/; classtype:trojan-activity; sid:34863; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wheelsof variant outbound connection"; flow:to_server,established; content:"|05|i|06|e|0E|k|19|7T$TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTeeee"; fast_pattern:only; http_client_body; content:"/dilly/"; depth:8; nocase; http_uri; content:"get_ip.php"; within:10; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6fa0388fc7bf56600d5b0bc1b0651b3ecc927377250d0156bc6538bd032e551a/analysis/; classtype:trojan-activity; sid:34862; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fanny outbound connection"; flow:to_server,established; content:"/results/QueryRecord"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|"; http_header; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-2568; reference:url,virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:34857; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.ChinaZ outbound connection"; flow:established,to_server; dsize:296; content:"|20 2A 20|"; depth:3; offset:65; content:"MK64|00|"; depth:5; offset:128; fast_pattern; content:"Status|3A|"; depth:7; offset:169; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2014-6271; reference:url,blog.malwaremustdie.org/2015/01/mmd-0030-2015-new-elf-malware-on.html; classtype:trojan-activity; sid:34847; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adelinoq outbound connection"; flow:to_server,established; content:"POST /link.php"; depth:14; content:"|0D 0A 0D 0A|PKEY|00 00 00|"; distance:0; fast_pattern; content:!"User-Agent|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/bfe430e6aaa6e6e601d8b9e846998a5b2653f034895ac73d7ea1a367546b166f/analysis/; classtype:trojan-activity; sid:34844; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownExecute outbound connection"; flow:established,to_server; urilen:9; content:"/dw/setup"; fast_pattern:only; http_uri; content:"Content-Type|3A| multipart/form-data|3B| boundary=------------------------"; http_header; content:"ci_session="; http_cookie; content:!"User-Agent|3A|"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9/analysis/; classtype:trojan-activity; sid:34842; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownExecute outbound connection"; flow:established,to_server; urilen:7; content:"/dw/gtk"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:"Accept|3A| */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9/analysis/; classtype:trojan-activity; sid:34841; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownExecute outbound connection"; flow:established,to_server; urilen:>150; content:"/setup/"; depth:7; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; pcre:"/\/setup\/[a-z0-9!-]{50}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9/analysis/; classtype:trojan-activity; sid:34840; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587,2525,2526] (msg:"MALWARE-CNC Win.Trojan.Neos outbound connection"; flow:to_server,established; content:"Victim Computer Name:"; fast_pattern:only; content:"Victim Username:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/63cdfbfbbbc50b06acb75e6059cf63721cb814cd825b9e5d29b7a0b50bc8d78b/analysis/; classtype:trojan-activity; sid:34835; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Werdlod variant outbound connection"; flow:to_server,established; content:"/counter.php?vtrtvrvtrtvertvr"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; content:!"Accept: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f27690e8c1b3619fd3e53cdafed363a6a71e31c57e888a8c62a1242ba40dc605/analysis/; classtype:trojan-activity; sid:34833; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cozybear variant outbound connection"; flow:to_server,established; content:"/galeria/index.php?"; fast_pattern:only; http_uri; urilen:19; content:!"Accept: "; http_header; content:"User-Agent: iTunes/12.0.1 (Windows|3B| N)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/bc5625c674f08cca18e73eb661eed0182ef16e27983098cf1c61892ca621d60b/analysis/; classtype:trojan-activity; sid:34832; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cozybear variant outbound connection"; flow:to_server,established; content:"/galeria/index.php?"; fast_pattern:only; http_uri; urilen:19; content:!"Accept: "; http_header; content:"User-Agent: Java/1.8.0_26"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/bc5625c674f08cca18e73eb661eed0182ef16e27983098cf1c61892ca621d60b/analysis/; classtype:trojan-activity; sid:34831; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emdivi outbound connection"; flow:to_server,established; content:"&date=%2BBQF.4"; fast_pattern:only; http_client_body; content:"%1Dh%1DYQY.4"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4a2a9b6a5fedd8de12a963effb7b800b7953c017c8a73a8ef353d661c879d137/analysis/; classtype:attempted-user; sid:34818; rev:2;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Critroni certificate exchange"; flow:to_client,established; content:"|00 D3 62 47 DA 62 4A A1 34|"; content:"|3B 02 49 86 4B DF D7 D7 6C E2 2F 36 81 01 24 3F|"; within:400; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/af7a9f581653394955bec5cf10a7dbafbf64f42d09918807274b5d25849a1251/analysis/; classtype:trojan-activity; sid:34917; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sojax variant outbound connection"; flow:to_server,established; content:"@.c HTTP"; fast_pattern:only; content:"/count/"; depth:7; nocase; http_uri; content:"GET"; nocase; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/004a262e3b5fb008adeba5949a285e3c18b0191a98f4387e1ca5a34f94dfb83b/analysis/; classtype:trojan-activity; sid:34888; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sojax variant outbound connection"; flow:to_server,established; content:"/count/count.php"; fast_pattern:only; http_uri; content:"m="; nocase; http_uri; content:"n="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/004a262e3b5fb008adeba5949a285e3c18b0191a98f4387e1ca5a34f94dfb83b/analysis/; classtype:trojan-activity; sid:34887; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000,9001] (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"|DD AA 99 66|"; depth:4; content:"|E0 06 93 E0 06 00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,www.virustotal.com/en/file/af03acfce9fd219176144a978a785576c886eab49f613be04a5a3f9e2ddfb961/analysis/; classtype:trojan-activity; sid:34886; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jemerr variant outbound connection"; flow:to_server,established; content:"/up.asp"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"&jjm="; within:40; nocase; http_client_body; content:"&wjm="; within:25; nocase; http_client_body; content:"&err="; within:10; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4c6f9a15dcf938e4f572d2502fa67dd091cf6fd0a99b51c0c9bcb7e058826c08/analysis/; classtype:trojan-activity; sid:34877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Fudu outbound variant connection "; flow:to_server,established; content:"X-ID: 00"; fast_pattern:only; http_header; pcre:"/X-ID\x3a\s\x30\x30+[0-9a-f]{20}(\r\n)+/iH"; content:"/p/pu"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1c9af096e4c7daa440af136f2b1439089a827101098cfe25b8c19fc7321eaad9/analysis/; classtype:trojan-activity; sid:34876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Compfolder variant outbound connection"; flow:to_server,established; content:"/bbs/data/intro.php?type=up"; fast_pattern:only; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|image1|22 3B| filename=|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|upUrl|22 0D 0A|"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dbed3a1fd186daf714dac7f0e664a0c37ed1604be0242141937e75fd66b2bd41/analysis/; classtype:trojan-activity; sid:34872; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Swaylib outbound variant connection "; flow:to_server,established; content:"form-data|3B| name=|22|i|22 0D 0A 0D 0A|"; nocase; http_client_body; content:"form-data|3B| name=|22|c|22 0D 0A 0D 0A|"; distance:0; nocase; http_client_body; byte_test:1, <=, 2, 0, relative, string, dec; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6d02fb18691835e331c2815cbd4a31813437cf5b728fde6e0db5192a92e4c552/analysis/; classtype:trojan-activity; sid:34936; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535] (msg:"MALWARE-CNC Win.Trojan.Zutwoxy outbound connection"; flow:to_server,established; content:"SERVER|7C|Final-"; depth:13; nocase; content:"|7C|Idle..|7C|"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/e3af86400e2373dca0753712c78434ed120766f53a173234478d5a1e2a05eb39/analysis/; classtype:trojan-activity; sid:34935; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8585 (msg:"MALWARE-CNC Win.Trojan.Pheloyx outbound connection"; flow:to_server,established; content:"YY4.X"; depth:9; nocase; dsize:260; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5bda7a527260e8f1bb83c169a4739f9fb7ed87befa6e8e878110a87d1cdb8015/analysis/; classtype:trojan-activity; sid:34934; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3330 (msg:"MALWARE-CNC Win.Trojan.Shindo outbound connection"; flow:to_server,established; content:"|7C|#$A"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/7d6f0d2681c5d837b3645618f8345e6907f185de012dfb9e0d3ea08a41f0ad5d/analysis/; classtype:trojan-activity; sid:34932; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"ID_MAQUINA="; fast_pattern:only; http_client_body; content:"&VERSAO="; nocase; http_client_body; content:"&WIN="; within:50; nocase; http_client_body; content:"&NAVEGADOR="; within:200; nocase; http_client_body; content:"&PLUGIN="; within:50; nocase; http_client_body; content:"&AV="; within:50; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7816d2b6507950177cf1af596744abe523cad492f4d78e230962602b1b269044/analysis/; classtype:trojan-activity; sid:34931; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cyvadextr variant outbound connection"; flow:to_server,established; content:"/encourage/help?pointed=855444"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/33774900681b25519d0b023d6d78a043cc2dff0a21d6f6df89e314c91118c0fd/analysis; classtype:trojan-activity; sid:34966; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptolocker outbound connection"; flow:to_server, established; content:"hwid="; depth:5; http_client_body; content:"&func="; within:6; distance:39; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a4657b0a2cdb3caf405c344f81e7afaacfe2df1558d1e470be6822e2e3666533/analysis/; classtype:trojan-activity; sid:34965; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Threebyte outbound connection"; flow:to_server,established; urilen:<90; content:"/UID"; depth:4; nocase; http_uri; content:".jsp?"; within:11; nocase; http_uri; pcre:"/UID[0-9]{0,5}\x2ejsp\x3f[a-z0-9]{0,64}[\x3d]{0,2}+/Ii"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/63615ce2294ea65a061bdb51ab0771c12efcf4e77770f03a2826d57354f843ff/analysis/; classtype:trojan-activity; sid:34963; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"texto=%0D%0A"; depth:12; http_client_body; content:"/consulta"; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33b598e185ba483c5c1571651a03b90359fb1f56b55e902c7038baf315c5dad9/analysis/; classtype:trojan-activity; sid:34959; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/forum/image.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/38c7d403660c98ceb0246192d7d89cd66e126c6721008f6b347d4d53b4dc063b/analysis/; classtype:trojan-activity; sid:34958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sysmain outbound connection"; flow:to_server,established; content:"/wp-content/plugins/akismet/iddx.php?id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,virustotal.com/en/file/d5e3122a263d3f66dcfa7c2fed25c2b8a3be725b2c934fa9d9ef4c5aefbc6cb9/analysis/; classtype:trojan-activity; sid:34957; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; content:"/prok/"; http_uri; content:"Content-Type: multipart/form-data, boundary=7DF051D"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Msnmm variant outbound connection"; flow:to_server,established; content:"/systen&cp="; fast_pattern:only; http_uri; content:"&log="; nocase; http_uri; content:"&index="; within:20; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/801a2d0e09076f42d93692efca7b67028f17604ae9330c186dad8c21d2ec1d0d/analysis/; classtype:trojan-activity; sid:34982; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bossabot outbound connection"; flow:to_server,established; content:"NICK BOSS-"; depth:10; content:"USER BOSS-"; within:10; distance:16; pcre:"/(USER|NICK)\x20BOSS\x2d[A-Z0-9\x5b\x5d\x2d]{15}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/9c72791d54ddfb20a6c07c986fc4190b7bf09befad2a339a7ca8723f218b8049/analysis/; classtype:trojan-activity; sid:34998; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant HTTP Response"; flow:to_client,established; dsize:<54; content:"HTTP/1.1 200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:"; within:15; fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent-ALPW variant outbound connection"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"A="; depth:2; http_client_body; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6452bea82dbef796eaed8d2403ffa7141e4379bb052fdb7b63a21400c04b0334/analysis/; classtype:trojan-activity; sid:34996; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra HTTP Header Structure"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".php HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34995; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; urilen:43; content:"/imagens/nacional/new/1/2/3/br/contador.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34994; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Benloader variant outbound connection"; flow:to_server,established; urilen:>420; content:"/ad.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Macintosh|3B| Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:34993; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vcaredrix variant outbound connection"; flow:to_server, established; content:"/zoerr"; fast_pattern:only; http_uri; content:"source="; depth:7; http_client_body; content:"&value="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/684f2faf0498c42861c92ebd8eef751fc82493ae60766ad65177c25c9fd1fbd6/analysis/; classtype:trojan-activity; sid:35005; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Elise variant outbound connection"; flow:to_server,established; urilen:28; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)"; fast_pattern:only; http_header; content:"/page_"; depth:6; offset:9; nocase; http_uri; content:".html"; within:5; distance:8; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2c2eb2eaadf9253a78265ac4655a6ec5935aa2673ff5e4fe3bb6753803c7fe59/analysis/; classtype:trojan-activity; sid:35050; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server, established; content:"/zom/index.php"; fast_pattern:only; http_uri; content:"start&helo_zombie=1&name="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cb9044c42808421534f6a9ba1b80dde4bbca2fc700c0ef8035e862cadfa71213/analysis/; classtype:trojan-activity; sid:35047; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3502 (msg:"MALWARE-CNC Trojan.Linux.Linuxor outbound variant connection "; flow:to_server,established; content:"BB2FA36AAA9541F0BB2FA36AAA9541F0"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/834eb864a29471d0abe178068c259470e4403eb546554247e2f5832acf9586ab/analysis/; classtype:trojan-activity; sid:35039; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Backdoor.Perl.Santy outbound variant connection "; flow:to_server,established; content:"PRIVMSG #new :|02|"; depth:15; pcre:"/PRIVMSG #new :\x02\x5b(GOOGLE|SCAN)\x5d\x02\x20Scanning/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/c17f4dc4bd1f81ca7f9729fd2f88f6e3e9738c4cc8ec38426eaed9f919eecf2d/analysis/; classtype:trojan-activity; sid:35037; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Backdoor.Perl.Santy inbound variant connection "; flow:to_client,established; content:"PRIVMSG #new :.say @"; offset:17; content:"flood"; within:10 ; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,virustotal.com/en/file/c17f4dc4bd1f81ca7f9729fd2f88f6e3e9738c4cc8ec38426eaed9f919eecf2d/analysis/; classtype:trojan-activity; sid:35036; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Taleretzbj outbound connection"; flow:to_server,established; content:"/nicc/index.asp?M00="; fast_pattern:only; http_uri; content:"MP="; depth:3; http_cookie; content:"M10="; http_cookie; content:"M11="; http_cookie; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/a9b8c6dcc7840eb829d2b871c586015a603934645723635e81638f96c77af076/analysis/; classtype:trojan-activity; sid:35035; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Downloader.Boltolog variant outbound connection download request"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.2|3B| Kew="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/58dbf8b66db544f2b0b418e8ef2674d20e027c1076052f4ddf01483f2a5e0f1e/analysis/; classtype:trojan-activity; sid:35034; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konus outbound connection"; flow:to_server, established; content:"/refund/cart/connect.php"; fast_pattern:only; http_uri; content:"Content-Length: 74"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/62f3dd9edc80bd9f62e72cd7912099d22090f3086088204371c111e50649aed7/analysis/; classtype:trojan-activity; sid:35031; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:9; content:"/diff.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35030; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Keylogger.Lotronc variant outbound connection"; flow:to_server,established,no_stream; content:"USER killer0709"; depth:15; detection_filter:track by_dst, count 2, seconds 3; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/953524dda217572280dfc14dff377f4bec0ea78cca599257fa24e90175cb7c19/analysis/; classtype:trojan-activity; sid:35029; rev:3;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Troldesh C&C"; flow:to_client,established; ssl_state:server_hello; content:"|16 03|"; content:"|0B|"; within:1; distance:3; content:"|00 8F 77 DF 9C F4 D2 43 19|"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/a8b27aa4fe7df15a677f9ab9b62764d557525059a9da5f4196f1f15049e2b433/analysis/; classtype:trojan-activity; sid:35027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Regiskazi outbound connection"; flow:to_server,established; content:"/feicivan/atak.php?os="; fast_pattern:only; http_uri; content:"&osbit="; nocase; http_uri; content:"&antiv="; within:7; distance:2; nocase; http_uri; content:"&kart="; distance:0; nocase; http_uri; content:"&core="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f824cb869dddf7668a26558d7334ada78fcb66973dbc3b93282701d8959ee404/analysis/; classtype:trojan-activity; sid:35083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 58275 (msg:"MALWARE-CNC Backdoor.Linux.Qenerek outbound connection"; flow:to_server,established; dsize:1024; content:"666|7C 7C 7C|"; depth:6; content:"|7C|0.00:0.00"; within:18; distance:22; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/9e2a77775babf1d6e83d94e53c345d76f0274f30a333b76e30bff72f59e3ce28/analysis/; classtype:trojan-activity; sid:35082; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"MALWARE-CNC Win.Trojan.Tenbus outbound connection"; flow:to_server,established; dsize:8; content:"|05 00 00 00|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:trojan-activity; sid:35081; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"MALWARE-CNC Win.Trojan.Tenbus outbound connection"; flow:to_server,established; dsize:5; content:"G|00|F|00|I"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:trojan-activity; sid:35080; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/siganofi/rounder.php"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Pragma|3A| no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.www.virustotal.com/en/file/857ae380e297f840b88146ec042286ef459a1c4dc53680b117a9677b189e6c68/analysis/; classtype:trojan-activity; sid:35076; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dino variant outbound connection"; flow:to_server,established; urilen:35<>42; content:"/postal.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| .NET CLR 1.0.3705|3B| .NET CLR 1.1.4322)"; http_header; content:"BO4n="; nocase; http_client_body; content:"&u0qVv23I="; within:20; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7ba09403e9d7122a20fa510de11f7809822e6e11efb164414e2148b762cf4e75/analysis/; classtype:trojan-activity; sid:35069; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9003 (msg:"MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection "; flow:to_server,established; dsize:5; content:"Vypor"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35067; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25565 (msg:"MALWARE-CNC Linux.Backdoor.Powbot outbound variant connection "; flow:to_server,established; content:"mineloris.se"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35066; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection "; flow:to_client, established; content:"tcpamp "; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35065; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection "; flow:to_client, established; content:"mineloris "; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35064; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection "; flow:to_client, established; content:"kill "; depth:5; nocase; pcre:"/^kill\s(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]?|[0-9])$/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35063; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Powbot inbound variant connection "; flow:to_client, established; dsize:<40; content:"dildos "; depth:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/5565e6a57837ff2c3e474486313fd8e0c9e623453954c24bc44a03fc4e5e91b2/analysis/; classtype:trojan-activity; sid:35062; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server, established; content:"/updater.php"; http_uri; content:"mac="; http_client_body; content:"&comp="; distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e3a12bb9ca44de17d6e49b3d964e5fb46c6cdbea4a84aab2b2f7a83b1663f9bc/analysis/; classtype:trojan-activity; sid:35104; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"u2i3yruiyui32 hri32 hi32 ru2i3hr 2u3hruk3 2j32hr23r"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/594144c336c58f52c2f633175c005568d55528b1036a045ef52a3687885f9f6b/analysis/; classtype:trojan-activity; sid:35103; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex Microsoft Word document dropper download attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"u2i3yruiyui32 hri32 hi32 ru2i3hr 2u3hruk3 2j32hr23r"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/594144c336c58f52c2f633175c005568d55528b1036a045ef52a3687885f9f6b/analysis/; classtype:trojan-activity; sid:35102; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex variant outbound connection"; flow:to_server,established; content:"/wp-content/uploads/2015/06/"; http_uri; content:".txt"; nocase; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/594144c336c58f52c2f633175c005568d55528b1036a045ef52a3687885f9f6b/analysis/; classtype:trojan-activity; sid:35101; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.trojan.Seaduke outbound connection"; flow:to_server,established; content:"User-Agent: SiteBar/3.3.8 (Bookmark Server|3B| http|3A|//sitebar.org/)|0D 0A 0D 0A|"; fast_pattern:only; content:"/rss.php"; http_uri; urilen:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d/analysis/; classtype:trojan-activity; sid:35254; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Dropper.Agent inbound connection"; flow:to_client, established; content:"start1qaz"; depth:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7543d55d9daf87ffdc1863a11a65be7b97177dcedf8ea134a038fcab0e6c053e/analysis/; classtype:trojan-activity; sid:35221; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ProxyChange"; flow:to_server, established; content:"/images/menu/include2.php"; http_uri; content:"pcnome="; depth:7; fast_pattern; http_client_body; content:"%2F+"; within:5; distance:10; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/84132f8b894648547cc6c0745f2af748ea834458ad986aa42e48b5241392792e/analysis/; classtype:trojan-activity; sid:35303; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lpdsuite POST request"; flow:to_server,established; content:"/SecuritySuite/insert_record.php"; fast_pattern:only; http_uri; content:"name="; depth:5; http_client_body; content:"value="; depth:128; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fdb5690878b7d3db067120eed5e4418654619bb7f8d51e54e34179f882da48d8/analysis/; classtype:trojan-activity; sid:35301; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lpdsuite GET request"; flow:to_server,established; content:"/SecuritySuite/lpd_suite"; fast_pattern:only; http_uri; content:"AutoIt|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fdb5690878b7d3db067120eed5e4418654619bb7f8d51e54e34179f882da48d8/analysis/; classtype:trojan-activity; sid:35300; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall click fraud response"; flow:to_client,established; file_data; content:"2|7C|http://"; depth:9; content:"/search.php|7C|http://"; within:60; content:"|7C|Mozilla/4.0 "; within:100; content:"/r.php?key="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/3b78dd891a81c18cffa5031e52f9c2329e2986ba83c5c75a67dc4ae3d1f0bec3/analysis/; classtype:trojan-activity; sid:35344; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jemerr outbound connection"; flow:to_server, established; content:"id="; depth:3; http_client_body; content:"&jjm="; within:5; distance:32; http_client_body; content:"err="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4c6f9a15dcf938e4f572d2502fa67dd091cf6fd0a99b51c0c9bcb7e058826c08/analysis/; classtype:trojan-activity; sid:35318; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Directate outbound connection"; flow:to_server,established; content:"/plugin/update/?user="; fast_pattern; http_uri; content:"&usersid="; within:45; http_uri; content:"&version="; within:193; http_uri; content:"&osbit="; distance:0; http_uri; content:"&state="; within:10; http_uri; content:"User-Agent|3A| EI Plugin updater"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/9b0f613228ad8b71a1ab44efbf6c0ed5df06cca4988d6fd094a34f867838cc54/analysis/; classtype:trojan-activity; sid:35317; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Downloader.Comsteal outbound connection"; flow:to_server,established; content:"/index.php?os=linux&hostname="; http_uri; content:"&msg="; within:260; http_uri; content:"&user="; distance:0; http_uri; content:"User-Agent|3A| curl"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9b0f613228ad8b71a1ab44efbf6c0ed5df06cca4988d6fd094a34f867838cc54/analysis/; classtype:trojan-activity; sid:35315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8889 (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server, established; content:"/uniquexe/service/GetNewData"; fast_pattern:only; content:"pkgna="; content:"opkgna="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/efe2682d260a462e460e37b56b85dd588e8d8a96bd1526647ed668c8c6c3b699/analysis/; classtype:trojan-activity; sid:35313; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif outbound connection"; flow:to_server,established; content:"/photoLibrary/?user="; http_uri; content:"&ver="; http_uri; content:"&os2="; fast_pattern:only; http_uri; content:"&type="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35312; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Win32.Cigamve request"; flow:to_server,established; content:"Accept: , , , , , , , , , , , ,"; fast_pattern:only; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/62d08b513a7d0f1b937371344ce9bc44de6022294937e690d0f926cc3eaac5c1/analysis/; classtype:trojan-activity; sid:35306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Usteal outbound connection"; flow:established,to_server; content:"UFR!"; depth:4; content:"|08 02 00 00 10 66 00 00 20 00 00 00|"; within:12; distance:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,www.virustotal.com/en/file/7B1C27FE8394A07AEF87FAFB002F9E96355854932B2B387755C740876F115A48/analysis/; classtype:trojan-activity; sid:35355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Elise.B variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 8.0)"; fast_pattern:only; http_header; urilen:28; content:"/page_"; depth:6; offset:9; nocase; http_uri; content:".html"; within:5; distance:8; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04/analysis/; classtype:trojan-activity; sid:35353; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Win32.Ralminey POST request"; flow:to_server,established; content:"Referer:|20|XXX"; fast_pattern:only; http_header; content:"mac="; depth:5; nocase; http_client_body; content:"&ip="; within:8; distance:32; http_client_body; content:"&name="; within:8; distance:30; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/69849339d126ebddfa5a1bc2751071a574d3e5d0cbd06b0cd6f921edccdf74b8/analysis/; classtype:trojan-activity; sid:35348; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mivast outbound connection"; flow:to_server,established; content:"/newimage.asp?imageid="; fast_pattern:only; http_uri; content:"&type="; offset:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d4be6c9117db9de21138ae26d1d0c3cfb38fd7a19fa07c828731fa2ac756ef8d/analysis/; classtype:trojan-activity; sid:35416; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sakurel outbound connection"; flow:to_server,established; content:"/script.asp?imageid="; fast_pattern:only; http_uri; content:"&type="; offset:30; http_uri; content:"&resid="; distance:0; http_uri; content:"&nmsg="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6b6e92be036b1a67c383d027bafc7eb63cf515006bb3b3c6ca362a2332542801/analysis/; classtype:trojan-activity; sid:35415; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Inexsmar variant outbound connection"; flow:to_server,established; urilen:8; content:"/wnctprx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/026cf8b7aa8976588d98a9587e3b4188871936dadff27a4c7ffd2d19fb1b314b/analysis/; classtype:trojan-activity; sid:35400; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac payment page request"; flow:to_server,established; content:".php?user_code="; http_uri; content:"&user_pass="; fast_pattern:only; http_uri; content:"Referer|3A|"; http_header; content:"tor"; within:30; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35394; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 01 00 51 02|"; content:"|55 04 06 13 02|XX"; fast_pattern:only; content:"|55 04 07 0C 0C|Default City"; content:"|55 04 0A 0C 13|Default Company Ltd"; distance:6; metadata:impact_flag red, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35393; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Andromeda download request"; flow:to_server,established; content:".mod"; http_uri; pcre:"/[a-z]{2}_[a-z0-9]{8}\.mod/Ui"; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35388; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Andromeda initial outbound connection"; flow:to_server,established; content:"/forum.php"; depth:10; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35387; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bedep initial outbound connection"; flow:to_server,established; content:"protocolVersion|22|"; offset:2; http_client_body; content:"|22|rev|22|"; within:10; http_client_body; content:"|22|buildId|22|"; within:15; http_client_body; content:"|22|tags|22 3A|"; distance:0; http_client_body; content:"|22|type|22 3A 22|"; within:10; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35386; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"MALWARE-CNC Win.Trojan.MSIL-Pwsfcbk SQL connection"; flow:to_server,established; content:"I|00|N|00|S|00|E|00|R|00|T|00 20 00|I|00|N|00|T|00|O|00|"; depth:24; offset:48; nocase; content:"d|00|b|00|o|00|.|00|i|00|n|00|f|00|e|00|c|00|t|00|"; distance:2; nocase; content:"N|00|o|00|m|00|e|00|P|00|C|00|,|00 20 00|I|00|d|00|P|00|C|00|,|00 20 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00|P|00|C|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/it/file/9cc947dc604f8f25308076c5fb09cc646f30521206091912963c5da905624d50/analysis/; classtype:trojan-activity; sid:35385; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Heur outbound connection"; flow:to_server, established; content:"ProductName="; offset:10; http_uri; content:"&Mac="; http_uri; content:"&Volume="; distance:17; http_uri; content:"&Security="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f4597e3c4aa1750fbbba0115dc4d814aefdfe6de3b3ab178dbad86d3a8e9d78e/analysis/; classtype:trojan-activity; sid:35426; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bergard outbound connection"; flow:to_server, established; content:"__VIEWSTATE=IWluZm8"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6ea06c9581cad86e438d96a8cfc38b20eb2884bcb3202ad3430739f7fb6ac626/analysis/; classtype:trojan-activity; sid:35472; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666 (msg:"MALWARE-CNC Win.Trojan.Baisogu outbound connection"; flow:to_server; content:"/9hao/count.asp?"; fast_pattern:only; content:"mac="; depth:4; offset:21; content:"&ver="; within:25; content:"&tjuser="; within:35; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/ee28d4f4b8dc64f8268adce1b17a2ad6054c6a58942d97a58e15a4361e820e98/analysis/; classtype:trojan-activity; sid:35471; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bedep variant outbound connection"; flow:to_server,established; content:"Content-Length|3A| 192|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A| no-cache"; http_header; content:!"User-Agent"; http_header; pcre:"/^([A-Z0-9+\x2f]{190}={2}|[A-Z0-9+\x2f]{191}=|[A-Z0-9+\x2f]{192})$/Pmi"; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/35f29550bcdb0c72de1e541d05ce6772dba2da89fb5c080af7118b91d68d7179/analysis/; classtype:trojan-activity; sid:35448; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Jrml variant outbound connection"; flow:to_server, established; content:"wp-includes/wpconfig.php?mode="; fast_pattern:only; http_uri; content:"|0D 0A|Content-Disposition:|20|form-data|3B 20|name="; http_client_body; content:"|0D 0A|[System Process]|0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d3c8c883c1fb972c5c50a7b2b4eccef72dba479657ee462260242d4c66cdc54/analysis/; classtype:trojan-activity; sid:35437; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackCoffee outbound connection"; flow:to_server,established; content:"/commander.php?mt="; fast_pattern:only; http_uri; content:"&r="; depth:15; offset:50; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dfd363e2811f6d56fe50362d250592104f2a08f945f903d203d9289e5cb2981d/analysis/; classtype:trojan-activity; sid:35436; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackCoffee outbound connection"; flow:to_client,established; file_data; content:"@MICR0S0FT"; fast_pattern; content:"C0RP0RATI0N"; within:11; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7ad8944573fe10ad74b09c964d65c1dadad11b67b18dff8f5ea3bc6fe6c9afbf/analysis/; classtype:trojan-activity; sid:35551; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:10; content:"/order.php"; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35549; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Nibagem outbound variant connection"; flow:to_server,established; content:"/pagenotfound2/de0ad7c0a5dd117372cd/raw/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/f9432e1185b0d67e81e81debc2858ec83389e0b9d5ef61fea7e87f0fef49302b/analysis/; classtype:trojan-activity; sid:35597; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Nibagem outbound variant connection"; flow:to_server,established; content:"/images/xml.php?v="; fast_pattern; content:"&id="; distance:0; content:"&p="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/f9432e1185b0d67e81e81debc2858ec83389e0b9d5ef61fea7e87f0fef49302b/analysis/; classtype:trojan-activity; sid:35596; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NetEagle variant outbound connection"; flow:to_server,established; content:"/yzstmfa/allupdate.xml"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bbf138cfc11226d1b1d9935bb4c01541db344c78abb4f9275cdaa1bc5b36c07e/analysis/; classtype:trojan-activity; sid:35570; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/STTip.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35750; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/SNews.asp?HostID="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35749; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11; content:"/atomic.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/; classtype:trojan-activity; sid:35746; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Potao outbound connection"; flow:to_server,established; content:"|3C|methodName|3E|10a7d030-1a61-11e3-beea-001c42e2a08b|3C 2F|methodName|3E|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88/analysis/; classtype:trojan-activity; sid:35733; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Naberkalara variant outbound connection"; flow:to_server,established; content:"/log.php"; nocase; http_uri; content:"pcadi="; depth:6; fast_pattern; nocase; http_client_body; content:"&ip="; distance:0; nocase; http_client_body; content:"&key="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f0f16d52aa0ea72b0cd4026617d5ed8987041886f040338d09c0e62bed783f63/analysis/; classtype:trojan-activity; sid:35732; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Seyelifon variant outbound connection"; flow:to_server,established; content:"gateway.php?action=cw"; fast_pattern:only; http_uri; content:"Connection: close"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b14b0dbee18052b9ea63b8bc688b63b8c0c5beb8b2dcb30ddbaaad3ee71dee26/analysis/; classtype:trojan-activity; sid:35804; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection"; flow:to_server,established; content:"/wp-content/themes/"; nocase; http_uri; content:".php"; within:5; nocase; http_uri; pcre:"/^\x2fwp-content\x2fthemes\x2f[A-Za-z0-9]\.php\?[A-Za-z0-9\x2B\x2F\x3D]{300}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/64e3c5e0157c43f7c5ee94a36bd58b1b5ea376498ce1272f078d0d92fe5e668c/analysis/; classtype:trojan-activity; sid:35794; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jiripbot variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/5.0)"; fast_pattern:only; http_header; content:"SSID="; http_cookie; content:"A="; within:2; distance:45; http_cookie; pcre:"/^SSID=[a-zA-Z\d]{43}\x3B\x20A=[0-3]$/C"; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45/analysis/; classtype:trojan-activity; sid:35783; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Namospu variant outbound connection"; flow:to_server,established; content:"/listener.php?pcnaam="; fast_pattern:only; http_uri; content:"&uni="; nocase; http_uri; content:"&winos="; nocase; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ce7e8f8e86cdefb5abeeea8e030e8843fe054042540e44777fa1dcdccc8e9090/analysis/; classtype:trojan-activity; sid:35842; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/css.ashx?nly="; fast_pattern:only; http_uri; content:"TNRLR|1F 13|"; http_uri; content:"|18|RMU"; within:4; distance:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bfc5fe7eedccfff4ea017963f165b33705e2a81e4beb4f19103973882df58c7b/analysis/; classtype:trojan-activity; sid:36048; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Ios.Backdoor.SYNful inbound connection"; flow:to_server,established; content:"text"; depth:4; offset:78; content:"|00 00 00|"; within:3; distance:1; content:"|45 25 6D|"; within:3; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1205; reference:url,blogs.cisco.com/security/synful-knock; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=40411; classtype:trojan-activity; sid:36054; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"windows="; depth:8; http_client_body; content:"&av="; within:50; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1fbe27602da7de2ce95254ffd409f70635179371354b4914997de273f6be9422/analysis/; classtype:trojan-activity; sid:36066; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/offers_new?v="; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"&a="; http_uri; content:"&i="; distance:0; http_uri; content:"&f="; distance:0; http_uri; content:"&u="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36065; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/rp?v="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"&u="; http_uri; content:"&c="; within:3; distance:32; http_uri; content:"&f="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36064; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shifu variant outbound connection"; flow:to_server,established; content:"/news/userlogin.php"; fast_pattern:only; http_uri; content:"|9D 0D F7 8B 8A 6A|"; depth:6; http_client_body; metadata:impact_flag red, service ssl; reference:url,www.virustotal.com/en/file/4881c7d89c2b5e934d4741a653fbdaf87cc5e7571b68c723504069d519d8a737/analysis/; classtype:trojan-activity; sid:36060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [3030,1150] (msg:"MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection"; flow:to_server,established; dsize:22; content:"|16 00 00 00 56 56 56 41 5A 01 00 00 00 78 9C 4B 05 00 00 66 00 66|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; classtype:trojan-activity; sid:36134; rev:1;)
alert tcp $EXTERNAL_NET [3030,1150] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response"; flow:to_client,established; dsize:22; content:"|16 00 00 00 56 56 56 41 5A 01 00 00 00 78 9C 63 00 00 00 01 00 01|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; classtype:trojan-activity; sid:36133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection"; flow:to_server,established; dsize:22; content:"|15 02 03 02 55 76 55 72 54 03 03 02 03 7A 9F 49 06 02 03 64 03 64|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; classtype:trojan-activity; sid:36132; rev:1;)
alert tcp $HOME_NET [1234,3340,3433,33911,64111] -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Liudoor outbound connection"; flow:to_client,established; dsize:4; content:"pass"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/deed6e2a31349253143d4069613905e1dfc3ad4589f6987388de13e33ac187fc/analysis/; classtype:trojan-activity; sid:36115; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nimisi variant outbound connection"; flow:to_server,established; content:!"User-Agent"; http_header; content:"/logs.php?&prog="; fast_pattern:only; http_uri; content:"&url="; http_uri; content:"&user="; distance:0; http_uri; content:"&pass="; distance:0; http_uri; content:"&comp="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a1f8f8b509001e5bca811a168455a89517000a2534d271018c0c87c6210bd69f/analysis/; classtype:trojan-activity; sid:36108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established; content:"/purchase.php?a="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&u="; distance:0; http_uri; content:"&bgload="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f4c10d33b8c46cc7922a6eebc9f14858a01b2f573ee99dd1dc02a4534b537e18/analysis; classtype:trojan-activity; sid:36107; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hodoor APT variant outbound connection"; flow:to_server,established; content:"/ajax.php"; http_uri; content:"username="; depth:9; http_client_body; content:"password="; http_client_body; content:"valicode="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1b6fadccac914201d9184559310afa5e6dc60ed6279ebeff4a12ec7484de455b/analysis/; classtype:trojan-activity; sid:36106; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Hodoor APT variant"; flow:to_client,established; file_data; content:"if|28 27|N|27|==workFlag.text|28 29 29|return|3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,grifsec.com/fr_report.pdf; classtype:trojan-activity; sid:36105; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Yakes variant outbound connection"; flow:to_server,established; file_data; content:"5595|7C|6|7C 7C|CM01|7C|CM02|7C|CM03|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cb075bae8236d70651e03baabac63662b45f9326ebb7dd291a296d1b365c5889/analysis/; classtype:trojan-activity; sid:36199; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Yakes variant certificate"; flow:to_client,established; content:"C00230-01..yiba6p"; fast_pattern; content:"|55 04 03 13 1E|C00230-01-f002 VPN Certificate"; within:35; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,www.virustotal.com/en/file/cb075bae8236d70651e03baabac63662b45f9326ebb7dd291a296d1b365c5889/analysis/; classtype:trojan-activity; sid:36198; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qytags variant outbound connection"; flow:to_server,established; content:"/asp0/Count.asp?mac="; fast_pattern:only; http_uri; content:"&ver="; nocase; http_uri; content:"&os="; within:7; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/da83aaebe0f7a1e170fba04fa117a2c24bf262450c9672ec175397e4fc32c9c8/analysis/; classtype:trojan-activity; sid:36186; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.Kapento variant outbound connection"; flow:to_server,established; content:"127.0.0.1Com.txt"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,virustotal.com/en/file/8e00c4d1cd6b9b5db47793e4df5634347fb70709dac904fbd83a4763ef6a0cf3/analysis/; classtype:trojan-activity; sid:36234; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kapento variant outbound connection"; flow:to_server,established; content:"127.0.0.1Com.txt"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8e00c4d1cd6b9b5db47793e4df5634347fb70709dac904fbd83a4763ef6a0cf3/analysis/; classtype:trojan-activity; sid:36233; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kapento variant outbound connection"; flow:to_server,established; content:"/intolerence/toro.php?"; fast_pattern:only; http_uri; content:"commande="; nocase; http_uri; content:"securisation="; distance:0; nocase; http_uri; content:"passtille="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8e00c4d1cd6b9b5db47793e4df5634347fb70709dac904fbd83a4763ef6a0cf3/analysis/; classtype:trojan-activity; sid:36232; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.SdBot variant outbound connection"; flow:to_server,established; file_data; content:"USER basic{"; content:"|20 2A 20 30 20 3A|"; within:32; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/6a0378f6a64706213e615a3c8862d7f3099da7c9d0c7533e339e39df6e883401/analysis/; classtype:trojan-activity; sid:36231; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes variant dropper"; flow:to_server,established; content:"/document.php?rnd="; fast_pattern:only; http_uri; content:"&id="; depth:4; offset:22; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ff0ae81f0dece17baf8480d866c9462c9f3d49be9adde8b16f105e244eb31d67/analysis/; classtype:trojan-activity; sid:36202; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Corebot variant outbound connection"; flow:to_server,established; urilen:7; content:"/verify"; nocase; http_uri; content:"GET /verify HTTP/1.1|0D 0A|Host|3A| "; fast_pattern:only; content:"Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/6.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e414f0662f915aef89c93c3d615b24a540910ec9dac387ee5a2b4144c5a2aed/analysis/; classtype:trojan-activity; sid:36276; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Corebot variant outbound connection"; flow:to_server,established; urilen:7; content:"/client"; nocase; http_uri; content:"AQAAAPY="; fast_pattern:only; http_client_body; content:"Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| WOW64|3B| Trident/6.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e414f0662f915aef89c93c3d615b24a540910ec9dac387ee5a2b4144c5a2aed/analysis/; classtype:trojan-activity; sid:36275; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection"; flow:to_server,established; content:"/shell/reg.php?s="; fast_pattern:only; http_uri; content:"&m="; nocase; http_uri; content:"User-Agent: user agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1cb6230019902c977e849783a38629fdbb74a67c31039c0208a098715e4e49f7/analysis/; classtype:trojan-activity; sid:36269; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection"; flow:to_server,established; content:"/shell/out.php?s="; fast_pattern:only; http_uri; content:"User-Agent: user agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1cb6230019902c977e849783a38629fdbb74a67c31039c0208a098715e4e49f7/analysis/; classtype:trojan-activity; sid:36268; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rusrushel variant outbound connection"; flow:to_server,established; content:"/shell/in.php?s="; fast_pattern:only; http_uri; content:"User-Agent: user agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1cb6230019902c977e849783a38629fdbb74a67c31039c0208a098715e4e49f7/analysis/; classtype:trojan-activity; sid:36267; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/g.aspx?guid="; fast_pattern:only; http_uri; content:"&gate="; nocase; http_uri; content:"&good="; distance:0; nocase; http_uri; content:"&bad="; distance:0; nocase; http_uri; content:"&unlucky="; distance:0; nocase; http_uri; content:"&ip="; distance:0; nocase; http_uri; content:"&fn="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36329; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/g.aspx?cfg="; fast_pattern:only; http_uri; content:"&gid="; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36328; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/g.aspx?"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36327; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/files/mx.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36326; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/files/bl.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36325; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WinPlock variant outbound connection"; flow:to_server,established; content:"/wp-content/plugins/WPCoreLog/log.php?rnd="; fast_pattern:only; http_uri; content:"WinHttp.WinHttpRequest.5"; http_header; content:"Run as Admin"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,virustotal.com/en/file/11c31494aabe8036fa57486fed143f7eb3acea27b16b3c7293d631a53c33bd6a/analysis/; classtype:trojan-activity; sid:36304; rev:2;)
alert tcp $EXTERNAL_NET 81 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Mitozhan initial outbound connection server response"; flow:to_client,established; dsize:28; content:"HTTP/1.0 200|0D 0A|Content-Type|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8553b945e2d4b9f45c438797d6b5e73cfe2899af1f9fd87593af4fd7fb51794a/analysis/; classtype:trojan-activity; sid:36303; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Nisinul variant outbound connection"; flow:to_server,established; content:"?pid="; depth:10; http_uri; content:"&data="; within:6; distance:17; http_uri; content:"User-Agent|3A| WinHTTP Example/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4f67945f3c130d19970fa36fb3da8b7a988ed0a0a54ee50834150a56bd37320b/analysis/; classtype:trojan-activity; sid:36294; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alina variant outbound connection"; flow:to_server,established; content:"|DF DA CE CB DE CF AA AA|"; depth:8; offset:28; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/082000f79439600b162e6a6ff5e6815b4bd3f041f42c6c2478feba3f5eb81894/analysis/; classtype:trojan-activity; sid:36331; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DustySky variant outbound connection"; flow:to_server,established; content:"upex/Wor"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8ee73d4aeb88106ba0b6ff4f98ff7da8dc942a8ec429e579b373f6c458547464/analysis/; classtype:trojan-activity; sid:36397; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DustySky variant outbound connection"; flow:to_server,established; urilen:>150; content:"php?Pn="; fast_pattern:only; http_uri; content:"&GR="; nocase; http_uri; content:"&ID="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8ee73d4aeb88106ba0b6ff4f98ff7da8dc942a8ec429e579b373f6c458547464/analysis/; classtype:trojan-activity; sid:36396; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Kemoge outbound connection"; flow:to_server,established; content:"/v1.jsp?e"; fast_pattern:only; http_uri; content:"platform"; http_uri; content:"osVersion"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/intelligence/blog/post/use-case:-searching-for-kemoge-android-adware/5430957313660468210-4022109835298466466/; classtype:trojan-activity; sid:36471; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AridViper variant outbound connection"; flow:to_server,established; content:"php?p="; nocase; http_uri; content:"User-Agent: AudioDrive"; fast_pattern:only; http_header; content:"REMOTE_USER:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1f3b4ceea2e3054162260bb827a5c867d5615b15c68e065d97a99a892d5cad4e/analysis/; classtype:trojan-activity; sid:36469; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AridViper variant outbound connection"; flow:to_server,established; content:"/designs/"; depth:9; nocase; http_uri; content:"php?s1="; distance:0; nocase; http_uri; content:"User-Agent: Realtek"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1f3b4ceea2e3054162260bb827a5c867d5615b15c68e065d97a99a892d5cad4e/analysis/; classtype:trojan-activity; sid:36468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CenterPos outbound connection"; flow:to_server,established; content:"Content-Disposition|3A| form-data|3B| name=|22|userfile|22 3B|filename="; fast_pattern:only; http_client_body; content:!"User-Agent|3A|"; http_header; content:"[data]"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2641bc194d9d59b18a87e361474339cb6b6cb721a710ca3bf958aa3c3a422553/analysis/; classtype:trojan-activity; sid:36460; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Misnt variant outbound connection"; flow:to_server,established; content:"/list.php"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/19ad985478251a7a9010cbc38a70d2cac12a8481ff585b275249f398caed0dd6/analysis/; classtype:trojan-activity; sid:36526; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker.NWT variant outbound connection"; flow:to_server,established; content:"/acesso.php"; fast_pattern:only; http_uri; content:"call="; depth:5; http_client_body; content:"&ct="; distance:0; http_client_body; content:"&windows="; distance:0; http_client_body; content:"&dados="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a1b3ada62cb45f8ba3b175b7bbaadad7e76afcc4fa73df8cfd3ea4028484a689/analysis/; classtype:trojan-activity; sid:36522; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Njrat variant outbound connection"; flow:to_server,established; content:"|7C 27 7C 27 7C|Win"; fast_pattern:only; content:"|7C 27 7C 27 7C|No|7C 27 7C 27 7C|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/349D85C0CDEA3C6B3467C06AB0AD2AFB53DF091E8FBF71AC4320D565ADD6623A/analysis/; reference:url,www.virustotal.com/file/3c3bd38fb908c4b6b33b3d83595d4bcef974379937f53b7a51e695ba71c1bd50/analysis/; classtype:trojan-activity; sid:36506; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hangman.A outbound connection"; flow:to_server,established; ssl_state:client_hello; content:"|00 14 00 00 00 10 00 0E 00 00 0B 7E 21 40 23 24 25 5E 26 2A 28 29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/8a4f000049ad2a6c4eeac823c087b1c6e68c58b241c70341821cceccdf0f2d17/analysis/; classtype:trojan-activity; sid:36497; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Brolux variant outbound connection"; flow:to_server,established; content:"/data/geditor/1501/"; fast_pattern:only; http_uri; content:".txt"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7f57128698280a8522bb2223e67e3f66aaffc8d846e3c9727b6f340d4fe82787/analysis/; classtype:trojan-activity; sid:36540; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Slackbot variant outbound connection"; flow:to_server,established; content:"PRIVMSG mpk"; fast_pattern:only; content:"!Hello|20 3C 3C|mpk|3E 3E|"; nocase; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Slackbot.F; classtype:trojan-activity; sid:36580; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC Win.Trojan.Slackbot variant outbound connection"; flow:to_server,established; content:"PRIVMSG mpk"; fast_pattern:only; content:"!MpkPing|20 3C 3C|mpk|3E 3E|"; nocase; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor:Win32/Slackbot.F; classtype:trojan-activity; sid:36579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection"; flow:to_server,established; content:"/SERVER/loadAdmins/"; fast_pattern:only; http_uri; urilen:19; content:!"User-Agent"; nocase; http_header; content:"password="; nocase; http_client_body; content:"&category="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36578; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Stimilik outbound variant connection"; flow:to_server,established; content:"/SERVER/addToLog/"; fast_pattern:only; http_uri; urilen:17; content:!"User-Agent"; nocase; http_header; content:"password="; nocase; http_client_body; content:"&category="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36577; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"CWD /php_backdoor/admin/img_screen/"; fast_pattern:only; content:"STOR"; nocase; content:"_trolo_"; within:20; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36572; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?windows="; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36571; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?upd="; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36570; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?status="; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36569; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?start"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36568; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?image_name="; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL.Troloscup outbound variant connection"; flow:to_server,established; content:"/php_backdoor/?get_func"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/55f0e0b709b290fea4299712bc5f8442ddd54d13157309d15b8fc88f71ef0beb/analysis/; classtype:trojan-activity; sid:36566; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Panskeg outbound connection"; flow:to_server,established; file_data; dsize:10; content:"|79 40 1F F2 03 3C 20 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/81c6fa11d46bf173932b067c32a852f048ba51873210c3e24ac367c95e799e42/analysis/; classtype:trojan-activity; sid:36610; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection"; flow:to_server,established; content:"STOR public_html"; nocase; content:".rar|0D 0A|"; within:25; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/d917c9c1df013f80cd3a6cd6c6a662250d1045991c6ac15ea7074cf9b2a7664b/analysis/; classtype:trojan-activity; sid:36603; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection"; flow:to_server,established; content:"RETR public_html/updates/version.txt|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/d917c9c1df013f80cd3a6cd6c6a662250d1045991c6ac15ea7074cf9b2a7664b/analysis/; classtype:trojan-activity; sid:36602; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QVKeylogger outbound variant connection"; flow:to_server,established; content:"PASS hUSuphun7*|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/d917c9c1df013f80cd3a6cd6c6a662250d1045991c6ac15ea7074cf9b2a7664b/analysis/; classtype:trojan-activity; sid:36601; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&syspath="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"&macid="; nocase; http_client_body; content:"&os1="; distance:0; nocase; http_client_body; content:"&os2="; distance:0; nocase; http_client_body; content:"&syspath="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36630; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teabevil variant outbound connection"; flow:to_server,established; content:"&vs="; fast_pattern:only; content:"/script"; http_uri; urilen:7; content:"CONTENT-TYPE:"; http_header; content:"v="; nocase; http_client_body; content:"&id="; distance:0; nocase; http_client_body; content:"&uid="; distance:0; nocase; http_client_body; content:"&vs="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bcf7fbd2123d7085ce5e3e699c9347c48f4c2ec6f26371852a01cf597a96968/analysis/; classtype:trojan-activity; sid:36629; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Recodler variant outbound connection"; flow:to_server,established; content:"/count.asp?mac="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; nocase; http_header; content:!"Accept"; nocase; http_header; reference:url,www.virustotal.com/en/file/4dc77cd5cf55b8f2d4a5f92ba8e66525f242f46127b5c9934cf72581a4fece69/analysis/; classtype:trojan-activity; sid:36628; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tanmar outbound  connection"; flow:to_server,established; content:"/_file-manager/php/connector.php?access="; fast_pattern:only; http_uri; content:"&cmd="; nocase; http_uri; content:"&target="; distance:0; nocase; http_uri; content:"&download="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9cc3db147a00180e49009597493b5809a0e8f9c2bbc1aabd43f634c9d2d99e62/analysis/; classtype:trojan-activity; sid:36627; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1777 (msg:"MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection"; flow:to_server,established; dsize:5; content:"|AC ED 00 05|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/ea4689ab9e0cb0f6eaca712180e97569548e00bfce6a5e87853d0dff759d3712/analysis/; classtype:trojan-activity; sid:36626; rev:1;)
alert tcp $EXTERNAL_NET 1777 -> $HOME_NET any (msg:"MALWARE-CNC Windows.Backdoor.Quaverse outbound variant connection"; flow:to_client,established; dsize:16; content:"t|00 0D|giveClientMac"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/ea4689ab9e0cb0f6eaca712180e97569548e00bfce6a5e87853d0dff759d3712/analysis/; classtype:trojan-activity; sid:36625; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wedots outbound variant connection"; flow:to_server,established; content:"/new/03/ftpindex.txt"; fast_pattern:only; http_uri; urilen:21; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9e461354fc05aff7a0cd90db612eecfdc9d0a54a15f6f2c7d959e6ef72fe28ab/analysis/; classtype:trojan-activity; sid:36624; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wedots outbound variant connection"; flow:to_server,established; content:"/new/03/tji.html"; fast_pattern:only; http_uri; urilen:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9e461354fc05aff7a0cd90db612eecfdc9d0a54a15f6f2c7d959e6ef72fe28ab/analysis/; classtype:trojan-activity; sid:36623; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wedots outbound variant connection"; flow:to_server,established; content:"/new/03/index.txt"; fast_pattern:only; http_uri; urilen:17; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9e461354fc05aff7a0cd90db612eecfdc9d0a54a15f6f2c7d959e6ef72fe28ab/analysis/; classtype:trojan-activity; sid:36622; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stupeval variant outbound connection"; flow:to_server,established; content:"/Uptools/PcInfo.php?inforegctrl="; fast_pattern:only; http_uri; content:"User-Agent|3A| AutoIt|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4fc15e300fe0508318ade43cb545c17f19e04a40eb195a513ce88ccc3a3a9863/analysis/; classtype:trojan-activity; sid:36765; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sefnit variant outbound connection"; flow:to_server,established; urilen:40,norm; content:"/j/"; depth:3; http_uri; content:"/0001"; within:5; distance:32; http_uri; content:!"User-Agent"; http_header; pcre:"/^\x2fj\x2f[a-f0-9]{32}\x2f0001$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/acddfb0bbbde83deddc8f0e4ca0ff3bd901cae473985c93b84072a874f5b9360/analysis/; classtype:trojan-activity; sid:36732; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sathurbot outbound connection"; flow:to_server,established; content:"|3C|root|3E 0A|"; depth:7; fast_pattern; http_client_body; content:"|3C|cmd action="; within:12; distance:4; http_client_body; content:"winver="; within:7; distance:47; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/65622ddd73b1f9efb83e2389a8f4df0788b1b9ab4839829c4f96240e777658b1/analysis/; classtype:trojan-activity; sid:36670; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tentobr outbound connection"; flow:to_server,established; content:"/botnet/suca.php"; fast_pattern:only; http_uri; urilen:16; content:"entradatrasera="; depth:15; nocase; http_client_body; content:"&key="; distance:0; http_client_body; content:"&pais="; distance:0; http_client_body; content:"&timeout="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,virustotal.com/en/file/75b8930a75bb37f607862fded39289050919b81248be1f45415cc24eff969c80/analysis/; classtype:trojan-activity; sid:36666; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redcontrole variant outbound connection"; flow:to_server,established; content:"key.php?key="; fast_pattern:only; http_uri; content:"---------------------------------------"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4a182212680a662657114ebee1f064a054a7fdf4fab746c1c39953dc2c3e1d62/analysis/; classtype:trojan-activity; sid:36770; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gokawa variant outbound connection"; flow:to_server,established; urilen:67; content:"action=visit.serv.start"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b67c0a24f5e3b14c6b6b5b781b3ffbb1869755f4e9e0536f1c2ae9ad80da69af/analysis/; classtype:trojan-activity; sid:36781; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zimwervi variant outbound connection"; flow:to_server,established; content:"/count.asp?type="; fast_pattern:only; http_uri; content:"Accept: Accept:"; http_header; content:"User-Agent: WebServ|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0f947239e00470b7185ca6f5cdda7f2f2355379e769aa5b5ddee45ed6b893800/analysis/; classtype:trojan-activity; sid:36777; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ruinmail outbound connection"; flow:to_server,established; content:"/portal/in.php"; fast_pattern:only; http_uri; urilen:14; content:"mail="; nocase; http_client_body; content:"&data="; distance:0; nocase; http_client_body; content:"APC%20Name%3A"; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b44daf31fe132cbdc68a849b2c08719f50af564bfd78b5fb6757559142af3487/analysis/; classtype:trojan-activity; sid:36800; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nodslit variant outbound connection"; flow:to_server,established; content:"/log/access?modeAct="; nocase; http_uri; content:"&MAC="; distance:0; nocase; http_uri; content:"&PID="; within:5; distance:17; nocase; http_uri; content:"&OS="; distance:0; nocase; http_uri; content:"&BIT="; distance:0; nocase; http_uri; content:"&name="; within:6; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4a6b79eb8fb91652cbb166137845c28355311131c4e33093f9b301983b57fc14/analysis/; classtype:trojan-activity; sid:36807; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Mabouia outbound connection"; flow:to_server,established; content:"/mabouia/catcher.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f4818a2420f53ff90c7232a730a576565311917fd6c72030b26100baf4eac79f/analysis/; classtype:trojan-activity; sid:36810; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Leralogs variant outbound connection"; flow:to_server,established; content:"/?DQogLS0tLS0tLSBUaW1lcyg"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4a217be67cd619ac63d4d0817d30ab32700b42a79ec86f55790111dd78261212/analysis/; classtype:trojan-activity; sid:36841; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Banload inbound connection"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:"AVKILL.EXE"; within:10; distance:26; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/d8870e07e63199fabfc704b450fdaeb168d0b7a0fe414905728fc1fb816ed9df/analysis/; classtype:trojan-activity; sid:36835; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload outbound connection"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; content:"AVKILL.EXE"; within:10; distance:26; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/d8870e07e63199fabfc704b450fdaeb168d0b7a0fe414905728fc1fb816ed9df/analysis/; classtype:trojan-activity; sid:36834; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trfijan outbound connection"; flow:to_server,established; content:"/logs.php?ap="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d1f958c6bf5c1de44010265414a5a547386f964ea5d1b7cb18b582411b31018a/analysis/; classtype:trojan-activity; sid:36893; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC AbbadonPOS variant outbound connection"; flow:to_server,established; content:"/image/tools1.ico"; fast_pattern:only; http_uri; content:"Media Center PC 6.0|3B|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/780ada8440b11b76421e5cbbf1720913779b7c4b243b03595ccd69367ede6fce/analysis/; classtype:trojan-activity; sid:36890; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TinyDropper variant outbound connection"; flow:to_server,established; content:"/search.php?aff="; depth:16; http_uri; content:"&saff="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/780ada8440b11b76421e5cbbf1720913779b7c4b243b03595ccd69367ede6fce/analysis/; classtype:trojan-activity; sid:36889; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"MALWARE-CNC GlassRAT handshake beacon"; flow:to_server,established; content:"|CB FF 5D C9 AD 3F 5B A1 54 13 FE FB 05 C6 22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf; classtype:trojan-activity; sid:36911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nessfi outbound connection"; flow:to_server,established; content:"php?&99="; http_uri; content:"&dll="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cbb8be245c450a50166853b7fd87e2eb18a6c766af70f3892927d20f75ae3c5a/analysis/; classtype:trojan-activity; sid:37102; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nessfi outbound connection"; flow:to_server,established; content:"1="; http_client_body; content:"&2="; http_client_body; content:"&3="; http_client_body; content:"&99="; http_client_body; content:"&^"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/cbb8be245c450a50166853b7fd87e2eb18a6c766af70f3892927d20f75ae3c5a/analysis/; classtype:trojan-activity; sid:37101; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dashikut outbound connection"; flow:to_server,established; content:"/ fsoOJmQW/LbpiQPoTaiqkezlHE9LuGl8="; fast_pattern:only; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6a075743df879bed39f330d11704fa9d3f1baa97e8a5b109e6508b0aeef3e150/analysis/1449861345/; classtype:trojan-activity; sid:37100; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 45678 (msg:"MALWARE-CNC Win.Trojan.Flusihoc variant outbound connection"; flow:to_server,established; content:"MHz"; content:"Mb"; content:"Gbpsend"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d3a0f109aad8824b72a9b57523dcfa685e3b4dd46de3032a9e4429839a8a8155/analysis/; classtype:trojan-activity; sid:37068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 18892 (msg:"MALWARE-CNC Win.Trojan.Droot outbound connection"; flow:to_server,established; dsize:4; content:"|7B 2E 77 B9|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/998c3b096166c285dbfff28942c330c1bcec6085589f958a7a6a524c65e990a4/analysis/; classtype:trojan-activity; sid:37067; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload"; flow:to_server,established; content:"/contador/cnt.php?url="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/279486636dc5583cff84fbd9d1af5ab87ae0697a8560b8af1a016ae37f3d28d2/analysis/; classtype:trojan-activity; sid:37066; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 803 (msg:"MALWARE-CNC Win.Backdoor.Venik outbound connection"; flow:to_server,established; content:"joy.asp?sid="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3361cece5f1e2920f2eb6029aa844d434f3f265cace7061cc52a0e11a6d1d383/analysis/; classtype:trojan-activity; sid:37065; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Telehot outbound connection"; flow:to_server,established; content:"language/en-GB/smtps.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:"texto="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b38000c690cc5db9cd433d359d250bbaa8edfa6c14aef8e3f87b98279a93e724/analysis/; classtype:trojan-activity; sid:37064; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Paligenpo outbound connection"; flow:to_server,established; content:"media/index.php?udid="; fast_pattern:only; http_uri; content:"WinHttp.WinHttpRequest.5"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/46db5ec5ba8a9a1fd100ee422ee4bdecc2686f4bb620073a5eb2c4d37cb557b9/analysis/; classtype:trojan-activity; sid:37063; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Tdrop2 variant dropper download attempt"; flow:to_client,established; file_data; content:"DW"; depth:2; content:"|B4 09 CD 21 B8 01 4C CD 21|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/1dee9b9d2e390f217cf19e63cdc3e53cc5d590eb2b9b21599e2da23a7a636184/analysis/; classtype:trojan-activity; sid:37053; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt outbound connection"; flow:to_server; urilen:>300,norm; content:"Mozilla/5.0 (Windows NT 6.3|3B| WOW64|3B| Trident/7.0|3B| Touch|3B| rv:11.0) like Gecko"; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/^\/[A-Z0-9\x2f]+\.php\?[A-Z0-9]{300}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/65c8fa84a707c0e3c0cd5d135d35eed15e1291d3223916e4bad7e91176d04a54/analysis/; classtype:trojan-activity; sid:37052; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ATSEngine credit card number sent via URL parameter"; flow:to_server,established; content:"/gate.php?action=set_variables"; http_uri; content:"&login="; distance:0; http_uri; content:"&ccnum="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.xylibox.com/2014/05/atsengine.html; classtype:trojan-activity; sid:37051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ATSEngine initial beacon"; flow:to_server,established; content:"/amazon.js?ssid="; http_uri; content:"&bt="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.xylibox.com/2014/05/atsengine.html; classtype:trojan-activity; sid:37050; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Geratid variant outbound connection"; flow:to_server,established; content:"/announce/"; nocase; http_uri; content:"rid="; http_client_body; content:"hwid="; fast_pattern:only; http_client_body; content:"rno="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b38a7ec34ee3f6c24edf3c533b702a2aa72c3e94542b32b8b2c64ea896036dbc/analysis/; classtype:trojan-activity; sid:37049; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bookworm variant outbound connection"; flow:to_server,established; urilen:50; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; content:"/0"; depth:2; http_uri; content:!"User-Agent: "; http_header; content:!"Accept: "; http_header; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/80bfe4c4758a93e315da8bbcbfbc48cd8f280b871e1bcf1cf6a126454895e05a/analysis /; classtype:trojan-activity; sid:37048; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vonterra outbound connection"; flow:to_server,established; content:"/sucess/thanks.php"; fast_pattern:only; http_uri; content:!"Referrer|3A|"; http_header; content:"&Cores="; nocase; http_uri; content:"&v="; within:6; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/14dde35ea9ec7e8769e5312563a83b814bd23f0bc6b0cf84d79e024d17022d00/analysis/; classtype:trojan-activity; sid:37047; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter outbound connection"; flow:to_server,established; content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/e3da9c7f20e7f24891e0dec594dad6d9deebee145153611a5c05c69593284a27/analysis/; reference:url,www.virustotal.com/en/file/9d6b1bd74848dd0549ad3883b7292d3ba0a4fa06d0aaf562032b0bf6dc198249/analysis/; classtype:trojan-activity; sid:37045; rev:3;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Arfadinf variant outbound connection"; flow:to_server,established; content:"/check/Test11~"; fast_pattern:only; http_uri; content:"cmd.inf"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/65ece5aa5926c7b25b337da895fd5fcd042e43f77bba084a1f1a33570d1a1cdc/analysis/; classtype:trojan-activity; sid:37037; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModPOS outbound connection"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/robots.txt"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1159dceabbab2019988cd0da041ed0367c6d5a9ee5077da3d52ea5dc332a0230/analysis/; classtype:trojan-activity; sid:37036; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alina variant outbound connection"; flow:to_server,established; content:"|FF FA EE EB FE EF AA AA|"; depth:8; offset:28; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/082000f79439600b162e6a6ff5e6815b4bd3f041f42c6c2478feba3f5eb81894/analysis/; classtype:trojan-activity; sid:37027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sofacy outbound connection"; flow:to_server,established; content:"User-Agent: MSIE 8.0|0D 0A|"; fast_pattern:only; http_header; content:"/check/"; http_uri; urilen:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e917166adf6e1135444f327d8fff6ec6c6a8606d65dda4e24c2f416d23b69d45/analysis/; classtype:trojan-activity; sid:37024; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"HTTP|5C|1.1 Sycmentec"; depth:18; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3a5876eea86280e660a21564c9a2e2c7a8493b444d710c83a4813152a3c9d21d/analysis/; classtype:trojan-activity; sid:37020; rev:1;)
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"MALWARE-CNC Milkoad.A First Request"; flow:to_server,established; content:"ldr/client.php?msg=hello"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/30298b8648ae5b5443366a5f40294f16c09a04a76b7949a28feeacf159b135d0/analysis/; classtype:trojan-activity; sid:36916; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:36914; rev:1;)
alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Collicky variant inbound command attempt"; flow:to_client,established; content:"#$$$"; depth:4; content:"#!!!"; distance:250; pcre:"/\x23\x24\x24\x24[A-F0-9]{250,}\x23\x21\x21\x21/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3ce877266e281bbf00bb57cd02a3abe21ff993c007d405fca412a02bd9b718c/analysis/1450285074/; classtype:trojan-activity; sid:37141; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Batec outbound connection"; flow:to_server,established; content:"/Modulos/BOBY.jpg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a2f9a0c6348c725b3959094967e9c540c93a4b52c266dccf7752a722817e3da6/analysis/; classtype:trojan-activity; sid:37127; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cetsiol outbound connection"; flow:to_server,established; content:"|0E 25|"; depth:2; http_client_body; content:"|EE AE 79 31 54 A4|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/dff2e80dc4b43aff2c68d79ba0c55557c317d6d601594634a2a4d9488aecf842/analysis/; classtype:trojan-activity; sid:37117; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Hpastal outbound email attempt"; flow:to_server,established; file_data; content:"Passwords Of "; depth:13; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/44bc605f8c6c6035540a65d9c53697d119e76e6bfd9a0ac35f8add970b49ced3/analysis/1450362196/; classtype:trojan-activity; sid:37164; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Isniffer outbound connection"; flow:to_server,established; content:"isn_reloadconfig"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/587e784f8c54b49f25c01e0e8f71c205bd422e2b673fb7fbf28d721aa768e055/analysis/1450804558/; classtype:trojan-activity; sid:37228; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Isniffer outbound connection"; flow:to_server,established; content:"isn_logdel"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/587e784f8c54b49f25c01e0e8f71c205bd422e2b673fb7fbf28d721aa768e055/analysis/1450804558/; classtype:trojan-activity; sid:37227; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Isniffer outbound connection"; flow:to_server,established; content:"isn_logpath"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/587e784f8c54b49f25c01e0e8f71c205bd422e2b673fb7fbf28d721aa768e055/analysis/1450804558/; classtype:trojan-activity; sid:37226; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Isniffer outbound connection"; flow:to_server,established; content:"isn_getlog"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/587e784f8c54b49f25c01e0e8f71c205bd422e2b673fb7fbf28d721aa768e055/analysis/1450804558/; classtype:trojan-activity; sid:37225; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pmabot outbound connection"; flow:to_server,established; content:"/myadmin/scripts/setup.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b6df5e40c047624b37bec8ce8b7f60bff11b7b2492ed8f8237163999de938bbd/analysis/1450976284/; classtype:trojan-activity; sid:37215; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pmabot outbound connection"; flow:to_server,established; content:"/pma/scripts/setup.php"; depth:22; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b6df5e40c047624b37bec8ce8b7f60bff11b7b2492ed8f8237163999de938bbd/analysis/1450976284/; classtype:trojan-activity; sid:37214; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pmabot outbound connection"; flow:to_server,established; content:"/phpMyAdmin/scripts/setup.php"; fast_pattern:only; http_uri; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b6df5e40c047624b37bec8ce8b7f60bff11b7b2492ed8f8237163999de938bbd/analysis/1450976284/; classtype:trojan-activity; sid:37213; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pmabot outbound connection"; flow:to_server,established; content:"/phpTest/zologize/axa.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b6df5e40c047624b37bec8ce8b7f60bff11b7b2492ed8f8237163999de938bbd/analysis/1450976284/; classtype:trojan-activity; sid:37212; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(base64_decode($_POST"; fast_pattern:only; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1100; reference:url,attack.mitre.org/techniques/T1132; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-CNC MultiOS.Trojan.Pbot outbound IRC channel join attempt"; flow:to_server, established; content:"JOIN #pma Always"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/86451aa007a260116a1d0d8771fa40971aa393b500d07a1514f93cc4cd2d676d/analysis/1452268107/; classtype:trojan-activity; sid:37360; rev:1;)
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.Pbot inbound command attempt"; flow:to_client, established; content:"PRIVMSG #pma :."; depth:40; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/86451aa007a260116a1d0d8771fa40971aa393b500d07a1514f93cc4cd2d676d/analysis/1452268107/; classtype:trojan-activity; sid:37359; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH server password authentication"; flow:to_client,established; content:"passDs5Bu9Te7"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd/analysis/1452274157/; classtype:trojan-activity; sid:37357; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackEnergy DropBear SSH public key"; flow:to_client,established; content:"AAAAB3NzaC1yc2EAAAABJQAAAQEAsrGnWG3XPW4tO8tRLhF"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0969daac4adc84ab7b50d4f9ffb16c4e1a07c6dbfc968bd6649497c794a161cd/analysis/1452274157/; classtype:trojan-activity; sid:37356; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Direvex variant outbound connection"; flow:to_server,established; content:"/whereismyentry.php"; fast_pattern:only; http_uri; content:"loader="; depth:7; http_client_body; content:"&token="; distance:0; http_client_body; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f6532b7175669a8eb343950e067f359cfd97f33426b4c4ef67e30d0b440a1365/analysis/; classtype:trojan-activity; sid:37323; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Sakurel variant outbound connection"; flow:to_server,established; content:"/view.asp?cookie="; offset:5; fast_pattern; content:"&type="; within:6; distance:15; content:"&vid="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0237f92714f28d755025fa6ba0f4759c7797edd73c4ccbd544495941ae0e0bcd/analysis/; classtype:trojan-activity; sid:37320; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Radamant inbound connection"; flow:to_client,established; dsize:>32; content:"[0:unknownID][6:"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9f63e8655da2abb0e7acf7c90a3797826f1b631794c6adf703f6afa55add56a4/analysis/; classtype:attempted-user; sid:37317; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sesramot variant outbound connection"; flow:to_server,established; content:"/content/opbotnet/command.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/261ca01c6432a09a2c4122d3065b558228e235a6cad66067bb6093647c03f97d/analysis/; classtype:trojan-activity; sid:37297; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sesramot variant outbound connection"; flow:to_server,established; content:"/content/opbotnet/accept.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/261ca01c6432a09a2c4122d3065b558228e235a6cad66067bb6093647c03f97d/analysis/; classtype:trojan-activity; sid:37296; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Derkziel variant outbound connection"; flow:to_server,established; content:"/gate.php"; nocase; http_uri; content:"derkziel.txt"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9b026281b5b20df22976e3bed2c926096728cefd6dea86aadd05c1cec16f6811/analysis/; classtype:trojan-activity; sid:37374; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Win.Trojan.Trochulis variant outbound connection"; flow:to_server,established; file_data; content:"|BF BF AF AF 7E 00 00 00|"; fast_pattern:only; dsize:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/da6905d96cc860b443deb5f27271a2cfb2ce17f067a59ca7f0fd12c1d70c4372/analysis/; classtype:trojan-activity; sid:37370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sovfo variant outbound connection"; flow:to_server,established; content:"/post.php?files="; depth:16; nocase; http_uri; content:"&user="; distance:0; nocase; http_uri; content:"&machine="; distance:0; nocase; http_uri; content:"&datetime="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b5814a31742c330cf4cea748bf32e1f9df58116d21c0c2b7980af8bf4195a81a/analysis/; classtype:trojan-activity; sid:37457; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Evilgrab outbound connection"; flow:to_server,established; content:"|DD 00 00 00 20|GET"; depth:8; rawbytes; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/25999b694489d6a1f09f57b89b8ba8fe9bc1f0eeb183ba1cb2693ec27368a293/analysis/; classtype:trojan-activity; sid:37447; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established; content:"/rss/feed/stream"; fast_pattern:only; http_uri; content:"|3F|"; depth:1; offset:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ADFAFFEA064A9F89064FBA300CDFCD7634CFD06802BF250FA1B070CABFBEBF5/analysis/; classtype:trojan-activity; sid:37467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blackmoon outbound connection"; flow:to_server,established; content:"/board/tj/count.asp?sid="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.0)"; nocase; http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9ee043dc2e66447e55e6a8073ba7afb7af383dfb6d6545acf4ee7b5300eda97c/analysis/; classtype:trojan-activity; sid:37466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/OSKey.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37523; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Mail.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37522; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Browser.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37521; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; urilen:15<>30,norm; content:".jpg?"; fast_pattern:only; http_uri; content:"User-Agent"; http_header; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/\.jpg\x3f[a-f0-9]{4,7}\x3d\d{6,8}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2A96C520770F5CE46468F1228C508E4DFC1DB958663CE5B473CFC9B94C5837A7/analysis/; classtype:trojan-activity; sid:37516; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"MALWARE-CNC Win.Trojan.Derusbi outbound connection"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:1; content:!"|00|"; within:1; content:"|00 08 02 00 00 00|"; within:6; distance:4; content:!"|00|"; within:1; content:"|00 00|"; within:2; distance:2; content:!"|00|"; within:20; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/de33dfce8143f9f929abda910632f7536ffa809603ec027a4193d5e57880b292/analysis/; classtype:trojan-activity; sid:37536; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"MALWARE-CNC Win.Trojan.Derusbi outbound connection"; flow:to_server,established; content:"|00 00 00|"; depth:3; offset:1; content:!"|00|"; within:1; content:"|00 07 02 00 00 00|"; within:6; distance:4; content:!"|00|"; within:1; content:"|00 00|"; within:2; distance:2; content:!"|00|"; within:20; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/de33dfce8143f9f929abda910632f7536ffa809603ec027a4193d5e57880b292/analysis/; classtype:trojan-activity; sid:37535; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Derusbi outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)"; fast_pattern:only; http_header; content:"Referer: "; http_header; content:"google.com"; within:30; http_header; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/de33dfce8143f9f929abda910632f7536ffa809603ec027a4193d5e57880b292/analysis/; classtype:trojan-activity; sid:37534; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Latentbot variant outbound connection"; flow:to_server,established; content:"/$rdgate?ACTION=HELLO"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e97b3e1556b3417941b221bc779eeaf9f34ac1fb40a393e4be9f737351e16758/analysis/; classtype:trojan-activity; sid:37618; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Engr variant outbound connection"; flow:to_server,established; urilen:7<>8; content:".php"; http_uri; content:"boundary=Xu02=$"; fast_pattern:only; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/54f6600db99fdab31453f3e23e8fb080438cd1ec36b6fc2868ff86cf88f14bb0/analysis/; classtype:trojan-activity; sid:37552; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/vip.jpg"; fast_pattern:only; http_uri; urilen:8; content:"User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37647; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant dropper download connection"; flow:to_client,established; file_data; content:"|A6 4D AA E1 65 52 A5 E1 E3 58 76 E1 81 4D A5 E1 CE 48 9C E1 BB 4D A5 E1 CE 48 A9 E1 A1 4D A5 E1|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37646; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor outbound connection"; flow:to_server,established; content:".asp?ip="; fast_pattern:only; nocase; http_uri; content:"&hn="; nocase; http_uri; content:"&gmt="; within:25; nocase; http_uri; content:"&ver="; within:20; nocase; http_uri; pcre:"/\x2easp\x3fip=(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)&hn=[a-zA-Z0-9]{3,25}&gmt=(\-[0-9])&ver=/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e8d782ccf061acbc0ead3f96d64959c4ea5a0c66642dbddc3b51410100177bb9/analysis/; classtype:trojan-activity; sid:37637; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor outbound connection"; flow:to_server,established; content:".asp?id="; fast_pattern:only; http_uri; content:"&ver="; nocase; http_uri; pcre:"/\x2easp\x3fid=(code|ProxyFlag|ip|port)&ver=/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e8d782ccf061acbc0ead3f96d64959c4ea5a0c66642dbddc3b51410100177bb9/analysis/; classtype:trojan-activity; sid:37636; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound POST attempt"; flow:to_server,established; content:"|0D 0A|Referer: https://www.google.com|0D 0A|"; fast_pattern:only; http_header; content:"action="; http_client_body; content:"data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e2c115679bcad87692506d6d9e7a985c59f59e36fd658b8927386474cbcc38ca/analysis/1455286210/; classtype:trojan-activity; sid:37686; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex dropper variant outbound connection"; flow:to_server,established; content:"/gt.jpg?"; fast_pattern; http_uri; content:"="; within:1; distance:15; http_uri; content:"bytes=6433-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8a80760f60f42ce5574a8020c08123a6a8fc2a12d28e8802f3d5101f72c2ad0c/analysis/; classtype:trojan-activity; sid:37733; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teslacrypt outbound POST attempt"; flow:to_server,established; content:"/dbconnect.php"; fast_pattern:only; http_uri; content:"data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3b90683a555e73ab11180e13c900a8f21cc2726dd015f9cffb656c1c38e712e9/analysis/1455556019/; classtype:trojan-activity; sid:37719; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teslacrypt outbound POST attempt"; flow:to_server,established; content:"/administrator/components/com_akeeba/akeeba/engines/proc/mzsystem.php"; fast_pattern:only; http_uri; content:"data"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3b90683a555e73ab11180e13c900a8f21cc2726dd015f9cffb656c1c38e712e9/analysis/1455556019/; classtype:trojan-activity; sid:37718; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Teslacrypt outbound POST attempt"; flow:to_server,established; content:"/mssys.php"; fast_pattern:only; http_uri; content:"data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3b90683a555e73ab11180e13c900a8f21cc2726dd015f9cffb656c1c38e712e9/analysis/1455556019/; classtype:trojan-activity; sid:37717; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.LeChiffre outbound connection"; flow:to_server,established; content:"/sipvoice.php?"; nocase; http_uri; content:"session="; distance:0; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0/analysis/; classtype:trojan-activity; sid:37844; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)"; fast_pattern:only; http_header; urilen:15; content:"/images/img.bin"; nocase; http_uri; content:"Pragma: no-cache|0D 0A 0D 0A|"; nocase; http_header; content:!"Referer: "; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b1df8cce007cbfc42697087e3d61452e0534bbf0d3909c1d88f362463430547e/analysis/; classtype:trojan-activity; sid:37838; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/34gf5y/r34f3345g"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37835; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/lockycrypt.rar"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37834; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Torte variant outbound connection"; flow:to_server,established; content:"(Windows|3B| U|3B| "; fast_pattern:only; http_header; content:"?sessd="; http_uri; content:"&sessc="; distance:0; http_uri; content:"&sessk="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/800f8b125345784d532b29465b5c57d05287235d3535534186b5edf971bc7fe9/analysis/; classtype:trojan-activity; sid:37817; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:10; content:"post="; depth:5; fast_pattern; http_client_body; content:"/index.php"; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/522e5d4ea0771f5c0bc300c2d66a0445a66ae85bd4b50c21a502365db0a638d9/analysis/; classtype:trojan-activity; sid:37816; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex outbound connection"; flow:to_server,established; content:"|37 76 8A D4 53 C2 57 E2 49 98 7C 04 98 2A C2 EC 31 4C 29 05 1E F5 E0 1A AD C4 E3|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/BA64CEA40FF6F97C638B7A162EF26F5DE685868942D6203C2BBC3D71C17EA348/analysis/; classtype:trojan-activity; sid:38018; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt server reply"; flow:to_client,established; file_data; content:"-!!!INSERTED!!!-"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/362c4acfcf96f5cd923c8c225d1eb968175c57854029154eecd9832e62b1ecf1/analysis/; classtype:misc-activity; sid:38017; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Keranger outbound connection"; flow:to_server,established; content:"/osx/ping?user_id="; fast_pattern:only; http_uri; content:"&uuid="; http_uri; content:"&model="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153/analysis/; classtype:trojan-activity; sid:38116; rev:2;)
alert tcp $EXTERNAL_NET 2556 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Win.Trojan.Adwind"; flow:to_client,established; content:"|16 03|"; content:"|02|"; within:1; distance:3; content:"assylias.Inc"; within:175; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/2a6015cbc160df29cdce35dc7eef062658303c83de82e0a453b929a2dbc7a736/analysis/; classtype:trojan-activity; sid:38134; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection"; flow:to_server,established; content:"Accept|3A 20 F0|"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; content:"data="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/362c4acfcf96f5cd923c8c225d1eb968175c57854029154eecd9832e62b1ecf1/analysis/; classtype:trojan-activity; sid:38150; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; content:"/wp-includes/theme-compat/filefile.php"; fast_pattern:only; http_uri; content:"User-Agent: curl|0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/71b09e7a50487614156a9e918b7cc2491ee28636f0837ae2ef63f6f918269c2d/analysis/; classtype:trojan-activity; sid:38145; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FighterPOS variant outbound connection"; flow:to_server,established; content:"imhome=areyousure"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/121ac9d8f31efc54238a72e803f9c91ff32640d13fa0dc4d08d8ab560d4a8fb0/analysis/; classtype:trojan-activity; sid:38235; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"GET /news.asp HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:38261; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"GET /login/process.jsp HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:38260; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"/news.php HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:38259; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"POST"; http_method; content:"/login1.asp"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38258; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"GET"; http_method; content:"/Query.asp?loginid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38257; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"CONNECT"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept: */*"; http_header; content:"Accept-Encoding|3A| identity"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38256; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"POST"; http_method; content:"/photos/photo.asp"; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38255; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Bifrose outbound connection"; flow:to_server; content:"|9B 4F B0 75 E2 76 96 04 5A F1 F9 43 D4 A2 6B|"; depth:15; offset:4; content:"|76 13 85 45 17 1B|"; within:6; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0a0d7bed3c8aa0e0e87e484a37e62b0bd0e97981b0bea55f6f3607316831ba5d/analysis/; classtype:trojan-activity; sid:38333; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/main.php"; fast_pattern:only; http_uri; urilen:9,norm; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:10,>,95,0,relative,string,dec; byte_test:10,<,115,0,relative,string,dec; content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33ab0605b83356e065459559bb81ec5e7464be563059fce607760517fedaf603/analysis/; classtype:trojan-activity; sid:38331; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established; content:"|01 00 00 00 41|"; depth:5; dsize:<10; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38359; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send logs"; flow:to_server,established; content:"|87 00 00 00 36|"; depth:5; dsize:100<>150; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38358; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established; content:"|01 00 00 00 3D|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38357; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant read logs"; flow:to_server,established; content:"|05 00 00 00 3A|"; depth:5; dsize:<10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38356; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 01|"; depth:5; dsize:5; metadata:impact_flag red, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established; content:"|01 00 00 00 3C|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38354; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|43 00 00 00 05|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38353; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|10 00 00 00 38|"; depth:5; dsize:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38352; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_server,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38380; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_client,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38379; rev:1;)
alert tcp $EXTERNAL_NET 4043 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 06|Lisbon"; content:"|55 04 0A 0C 10|Souppi Otiop SEM"; distance:6; content:"|55 04 03 0C 0E|wthcethesmw.ph"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38378; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Bedep.variant CNC server response"; flow:to_client,established; content:"Set-Cookie|3A| PHPSESSID="; content:"Set-Cookie|3A| splices="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.broadanalysis.com/2016/03/21/angler-ek-sends-teslacrypt-and-bedep-ad-fraud/; classtype:trojan-activity; sid:38367; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; urilen:16; content:"/geoip/geoip.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"STOR Screenshot from|3A 20|"; fast_pattern; content:"|29|.png"; within:80; metadata:impact_flag red, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"PASS Goodman1986|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"USER obitex@benfoods.tk|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC VBS Trojan Downloading Encoded Executable"; flow:to_client,established; content:"Content-Type: image/jpeg"; http_header; file_data; content:"|30 0C 0D 17 44 14 16 0B 03 16 05 09 44 07 05 0A 0A 0B 10 44 06 01 44 16 11 0A 44 0D 0A 44 20 2B 37 44 09 0B 00 01|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/19f7eb767cb83d29a9262288390f23bab90dd25a594639d9bc1e1182461c75d5/analysis/1460560153/; classtype:trojan-activity; sid:38542; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Obfuscated Javascript Attack runtime detection"; flow:to_server,established; content:"/system/logs/87yhb54cdfy.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b04865eedf942078b123b13347930b871a75a02a982c71e68abaac2def7bd1ce/analysis/; classtype:trojan-activity; sid:38530; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8021,8022] (msg:"MALWARE-CNC XBot Command Request get_action"; flow:to_server,established; file_data; content:"eyJhY3Rpb24iOiJnZXRfYWN0aW9uIiwiZGV2aWNlSUQi"; depth:75; metadata:impact_flag red, policy security-ips drop; reference:url,researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/; classtype:trojan-activity; sid:38528; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC binary download while video expected"; flow:to_client,established; content:"Content-Type|3A 20|video/quicktime|0D 0A 0D 0A|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38517; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|61 63 36 62 66 34 64 30 66 35 36 30 30 30 34 36 32 37 31 31 30 33 39 39|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38516; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|39 64 30 33 66 65 66 35 30 30 62 39 30 30 34 36 32 37 31 31 30 33 32 35|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38515; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:9; content:"hi00"; fast_pattern:only; pcre:"/hi00[0-9]{5}/"; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38514; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/api?upload"; fast_pattern:only; http_uri; content:"Expect|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f846653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; content:"|7C 7C|CM01|7C|CM02|7C|CM03|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/efd9036e675507da76cd0946408aedb814aff9da62d23de4f0680a4e7186a75c/analysis/1460471360/; classtype:trojan-activity; sid:38509; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TreasureHunter variant outbound connection"; flow:to_server,established; content:"/gate.php?report=true"; fast_pattern:only; http_uri; content:"report="; depth:7; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f/analysis/; classtype:trojan-activity; sid:38574; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TreasureHunter variant handshake beacon"; flow:to_server,established; content:"/gate.php?request=true"; fast_pattern:only; http_uri; content:"request="; depth:8; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/046d0b8024cea9c6aea2ef04b51ce9fd482214fbb3ef068a85c0f91f193f248f/analysis/; classtype:trojan-activity; sid:38573; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Coverton variant outbound connection"; flow:to_server,established; urilen:>13; content:"/idea.php?ch="; depth:13; http_uri; content:"Content-length: 0"; http_header; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/423524fa48a5139aaf7125073e98cf2204e56e43349360b05d665278e2841232/analysis/1460160722/; classtype:trojan-activity; sid:38567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:"If-Unmodified-Since"; http_header; content:"Range"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt"; flow:to_server,established; content:"HEAD"; http_method; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:!"Content-Length"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri; content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; file_data; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri; pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type"; http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>185,norm; content:".php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; pcre:"/\.php\x3fd=[A-F0-9]{174}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38588; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt"; flow:to_client,established; content:"307"; http_stat_code; content:"Temporary Redirect"; http_stat_msg; content:"Set-Cookie|3A 20|DFSCOOK="; fast_pattern:only; content:"Location: "; content:"/api.php?d="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38587; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>180,norm; content:"/api.php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38586; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:139<>200,norm; content:"/wp-includes.php?d="; fast_pattern:only; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D 0A|"; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38585; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection"; flow:to_server,established; content:"/img/script.php?"; fast_pattern:only; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"UA-CPU|3A 20|"; http_header; content:!"Referer"; http_header; content:!"Accept-Language"; http_header; pcre:"/\/img\/script\.php\x3f.*\.mov$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38584; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 09|Bujumbura"; content:"|55 04 0A 0C 10|Wiqur Hitin ehf."; distance:6; content:"|55 04 03 0C 11|puppeitursilth.cz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38621; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 0B|Ouagadougou"; content:"|55 04 0A 0C 16|Tiongon Wledb A.M.B.A."; distance:6; content:"|55 04 03 0C 10|ina.themanyag.zm"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38620; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wallex variant outbound connection"; flow:to_server,established; content:"php?sn="; nocase; http_uri; content:"&ob=obj_"; distance:0; fast_pattern; nocase; http_uri; content:"User-agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9c40bd71680049814ed521d43c3772a92cbf02e33dce61c9a8f7d31942a624f8/analysis/; classtype:trojan-activity; sid:38613; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download"; flow:to_client,established; content:"GODZILLA="; fast_pattern:only; content:"GODZILLA="; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/f597634ff5e2623baff35d99bfdb2aac1725c9f49805b4903c13093c43172cb7/analysis/1461593386; classtype:trojan-activity; sid:38610; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RockLoader variant outbound connection"; flow:to_server,established; urilen:5; content:"/api/"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|octet-stream"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d3cd3630b5709535f9bfa59c4ec75c8061262985919a43a175ec9d7e15c9419a/analysis/1461598531/; classtype:trojan-activity; sid:38608; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant outbound connection"; flow:to_server,established; urilen:30<>35,norm; content:"btst="; http_cookie; content:"snkz="; http_cookie; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38607; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant network speed test"; flow:to_server,established; content:"/random750x750.jpg?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38606; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UP007 variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.asp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"UP007"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma/; classtype:trojan-activity; sid:38603; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadowndec outbound connection"; flow:to_server,established; content:"BootMemori.jmp"; fast_pattern:only; http_uri; content:"Accept-Encoding|3A 20|gzip, deflate"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7337ab543cdb3df2b8fb2930dd88ade6f9c70162852bb7a73af0a1b8ad72f2b/analysis/1451936129/; classtype:trojan-activity; sid:38647; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadowndec outbound connection"; flow:to_server,established; content:"ExtrMail.jmp"; fast_pattern:only; http_uri; content:"Accept-Encoding|3A 20|gzip, deflate"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7337ab543cdb3df2b8fb2930dd88ade6f9c70162852bb7a73af0a1b8ad72f2b/analysis/1451936129/; classtype:trojan-activity; sid:38646; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadowndec outbound connection"; flow:to_server,established; content:"look.jmp"; fast_pattern:only; http_uri; content:"Accept-Encoding|3A 20|gzip, deflate"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7337ab543cdb3df2b8fb2930dd88ade6f9c70162852bb7a73af0a1b8ad72f2b/analysis/1451936129/; classtype:trojan-activity; sid:38645; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadowndec outbound connection"; flow:to_server,established; content:"Boot.jmp"; fast_pattern:only; http_uri; content:"Accept-Encoding|3A 20|gzip, deflate"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7337ab543cdb3df2b8fb2930dd88ade6f9c70162852bb7a73af0a1b8ad72f2b/analysis/1451936129/; classtype:trojan-activity; sid:38644; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jadowndec outbound connection"; flow:to_server,established; content:"Evolution.jmp"; fast_pattern:only; http_uri; content:"Accept-Encoding|3A 20|gzip, deflate"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b7337ab543cdb3df2b8fb2930dd88ade6f9c70162852bb7a73af0a1b8ad72f2b/analysis/1451936129/; classtype:trojan-activity; sid:38643; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GozNym variant outbound connection"; flow:to_server,established; urilen:16<>21; content:"/index.php"; offset:7; http_uri; content:"|3D|"; depth:8; http_client_body; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/\/(?=[a-z0-9]*[0-9])(?=[a-z0-9]*[a-z])[a-z0-9]{5,10}\/index\.php/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/55f9cd6cbed53ccc26d6d570807a18f91d9d8c10db352524df424f356d305a6e/analysis/; classtype:trojan-activity; sid:38638; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Koohipa outbound beacon attempt"; flow:to_server; content:"SNAKE:"; depth:6; content:"B|7C|"; distance:0; content:"|7C|Beta 2.0"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/a462356722e6b10ad0be72105d7b9381d8a65b1b7563da707deb33cad983899c/analysis/1458243240/; classtype:trojan-activity; sid:38674; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"X-Umeng-Sdk:"; http_header; content:"com.android.googleUpdate"; http_header; content:"564a982767e58ea4fa00660c"; depth:24; offset:7; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ac7d44e34633d75148bc5e3e1f309ab93d16d965bcb80f528a1efd6e602b44c9/analysis/; classtype:trojan-activity; sid:38668; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BBSwift variant outbound connection"; flow:to_server,established; content:"/al?---"; depth:7; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a/analysis/1461910569/; classtype:trojan-activity; sid:38676; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ransom variant outbound connection"; flow:to_server,established; content:"/pass/index.php"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"Content-Length|3A 20|"; http_header; content:"guid="; http_client_body; content:"|40|aol.com"; http_client_body; pcre:"/\x26guid=[a-f0-9]{8}\-[a-f0-9]{40}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/85ad1270a7ef2637cdf56f9deeab2a7bb88488be1b19babe7e6372e57a0d7b6d/analysis/; classtype:trojan-activity; sid:38733; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2012: (msg:"MALWARE-CNC Win.Trojan.VBDos Runtime Detection"; flow:to_server,established; content:"Status|3A| "; depth:8; content:" |2D| Attacks Enabled |7C| "; within:25; distance:1; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/ca64911882c27481ff1b8401adc825248f0984d0f2078af63829bfb031188488/analysis/; classtype:trojan-activity; sid:38732; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Renegin outbound GET attempt"; flow:to_server,established; content:"Logger%20Details|3A|%20%0D%0AServer%20Name|3A|%20"; fast_pattern:only; content:"%0D%0AKeylogger%20Enabled|3A|%20"; content:"0D%0AClipboard-Logger%20Enabled|3A|%20"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/6e4fa5f776b899d3d3d0cc1da69ff6165aefafd46f70ddb55399c73ba6f965cd/analysis/1462282274/; classtype:trojan-activity; sid:38724; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tooka POST attempt"; flow:to_server,established; content:"di.asp?id"; http_uri; content:"ASPSESSIONIDSSDBBRAC"; http_cookie; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/46267991aa61d0d3991a59fd847b90ce1c211bd3c76ccb3ab36a3c865892c323/analysis/1462218582/; classtype:trojan-activity; sid:38681; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tooka GET attempt"; flow:to_server,established; content:"tp=|0D 0A|Time|3A|"; fast_pattern:only; http_uri; content:"|0A|Agent|3A|"; http_uri; content:"|0D 0A|url|20|"; http_uri; content:"|0D 0A|Next|3A|"; http_uri; content:"|0A|delay|3A|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/46267991aa61d0d3991a59fd847b90ce1c211bd3c76ccb3ab36a3c865892c323/analysis/1462218582/; classtype:trojan-activity; sid:38680; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC CryptXXX initial outbound connection"; flow:to_server,established; content:"|20|"; depth:1; content:"|91 70 00 00 00 00 00 00 00 00 00 00|"; within:12; distance:35; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert; reference:url,virustotal.com/en/file/0b12584302a5a72f467a08046814593ea505fa397785f1012ab973dd961a6c0e/analysis/; classtype:trojan-activity; sid:38784; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex variant CNC traffic"; flow:to_client,established; file_data; content:"User-agent: Mediapartners-Google"; fast_pattern:only; content:"Disallow: /|0A|"; nocase; content:"Allow: /jsc/c"; within:300; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/87225c142a540789709a69dd3ce55ef9788e75d80e5ef650d02773e18db29c1f/analysis/; classtype:trojan-activity; sid:38917; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex download attempt"; flow:to_server,established; content:"/system/logs/"; http_uri; content:".exe"; within:100; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3eb08a5604d693d2d4489dfcde4085c62a5233085b3f4e8042e01a674bae14c2/analysis/; classtype:trojan-activity; sid:38916; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Kirts initial registration"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?SGF3a0V5ZSBMb2dnZXIg"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38891; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; content:".php?fname=Hawkeye_Keylogger"; fast_pattern:only; http_uri; content:"&data="; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:13; content:"/userinfo.php"; fast_pattern:only; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d766d57bc549b3ac7b87b604e2103318eaf41b526086ffe0201d5778521c1b6/analysis/1462906540/; classtype:trojan-activity; sid:38888; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection"; flow:to_server,established; content:"/log.php?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Referer"; http_header; pcre:"/\/log\.php\x3f[a-z]\x3d\d{3}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/11180a0ff4576e0dbbe48d77ed717e72678520516ff13f523cad832d1b9fa9ac/analysis/1462906326/; classtype:trojan-activity; sid:38887; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; dsize:8; content:"|4C 48 42 80 71 C2 A5 DF|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d9053911607672076e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"MALWARE-CNC Win.Trojan.Cerber outbound registration attempt"; flow:to_server; dsize:9; content:"hi0"; fast_pattern:only; pcre:"/hi0[0-9a-f]{6}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/a5ff5f861bbb1ac7c6fd44f303f735fac01273ce2ae43a8acb683076192fcfcc/analysis/1462465221/; classtype:trojan-activity; sid:38885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data; content:"Passwords Recorded On "; fast_pattern; content:"Time of Recording:"; within:20; distance:22; content:"IP Address"; within:12; distance:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection"; flow:to_server,established; content:"Accept: */*, Crypted, Ping, data=%s, POST, INSERTED"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; content:"data="; depth:5; http_client_body; isdataat:100,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/362c4acfcf96f5cd923c8c225d1eb968175c57854029154eecd9832e62b1ecf1/analysis/; classtype:trojan-activity; sid:38949; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeslaCrypt variant outbound connection"; flow:to_server,established; content:"Accept: e|0D 0A|"; fast_pattern:only; http_header; content:"data="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8e997b1e114c3b994eee0fc2435bf8bd5360847f0c9fafc82dea07a1c6f3a5fb/analysis/; classtype:trojan-activity; sid:39040; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Cookie: "; depth:37; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:"google.com|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9bb57a0b59d97a1d9bc4e08efb041156095b28b9148d26a8c0e143d1ef3077f7/analysis/; classtype:trojan-activity; sid:38995; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus config file download"; flow:to_server,established; content:"/config.jpg"; fast_pattern:only; http_uri; content:"Connection: Close"; http_header; content:!"Referer:"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/cbd0c9fcbde3627773da3ff2c8dc516e0107a8a12e442768ab2341a3b5142295/analysis/; classtype:trojan-activity; sid:38994; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.7ev3n variant outbound connection"; flow:to_server,established; content:"SSTART="; http_uri; content:"CRYPTED_DATA="; distance:0; http_uri; content:"ID="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/758b3c4beb8a0a8ed26830b0e79fc7da20de1c4943c3314c966d3227ed829974/analysis/; reference:url,virustotal.com/file/7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5/analysis/; classtype:trojan-activity; sid:39053; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adialer variant outbound connection"; flow:to_server,established; content:"/perl/invoc_oneway.pl?"; fast_pattern:only; http_uri; content:"nom_exe="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/EF7D19870822E461D218069EDB16EFDD1298A03F268470F0AD99B514823ADD45/analysis/; classtype:trojan-activity; sid:39052; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection"; flow:to_server,established; urilen:<31; content:"Accept|3A 20|*/*|0D 0A|UA-CPU|3A 20|"; fast_pattern:only; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept-Encoding|3A 20|gzip, deflate|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\/[a-z0-9]{8,10}\x3f[A-Za-z]{7,10}\x3d[A-Za-z]{6,10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0f8b6fd78c724b688f6467baf37f08c5ed198ea1b4224f31f50c8acbad49742/analysis/; classtype:trojan-activity; sid:39064; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot outbound POST attempt"; flow:to_server,established; content:"/odin/si.php?get&"; fast_pattern:only; http_uri; content:"news_slist"; http_uri; content:"comp="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/478132b5c80bd41b8c11e5ed591fdf05d52e316d40f7c4abf4bfd25db2463dff/analysis/1464186685/; classtype:trojan-activity; sid:39063; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rofin variant outbound connection"; flow:to_server,established; content:"|2F|?sid="; http_uri; content:"&uv="; within:4; distance:32; http_uri; content:"&tm="; within:4; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/E018D0041750C2C333EC538B0903623226AD98670C366E38E988E1BB5A08D237/analysis/; classtype:trojan-activity; sid:39056; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection"; flow:to_client,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39107; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection"; flow:to_server,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39106; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cript outbound connection"; flow:to_server,established; content:"/receive.php"; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; content:"pcid="; http_client_body; content:"disk="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/085f7a9aecc11759405ed010101d4ce33f08c9dc51716730ed9065fbc2d6f7b0/analysis/1464018911/; classtype:trojan-activity; sid:39086; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cript outbound connection"; flow:to_server,established; content:"/getkey.php"; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; content:"pcid="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/085f7a9aecc11759405ed010101d4ce33f08c9dc51716730ed9065fbc2d6f7b0/analysis/1464018911/; classtype:trojan-activity; sid:39085; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cript outbound connection"; flow:to_server,established; content:"/reg.php"; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; fast_pattern:only; content:"message="; http_client_body; content:"pcid="; http_client_body; content:"buildid="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/085f7a9aecc11759405ed010101d4ce33f08c9dc51716730ed9065fbc2d6f7b0/analysis/1464018911/; classtype:trojan-activity; sid:39084; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|3B 00 00 00 05|"; depth:5; dsize:<65; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/themes/twentythirteen/stats.php"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39117; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DMALocker variant outbound connection"; flow:to_server,established; content:"/crypto/gate?"; http_uri; content:"action="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/e3cf8b37af9f19fe6cdf5068d757a57c1fe0d5d3da128e032edb662cceae64cc/analysis/; classtype:trojan-activity; sid:39116; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Helminth variant outbound connection"; flow:to_server,established; content:"UIET9fWR"; fast_pattern:only; content:"User-Agent: Mozilla/5.0"; http_header; content:"|20|Trident/5.0|0D 0A|"; within:14; distance:39; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/632be0a3d8d298f2ded928a4ac27846904ed842ad08b355acab53132d31eaf24/analysis/; classtype:trojan-activity; sid:39176; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.BlackShades Crypter outbound connection"; flow:to_server,established; content:"insert_data_"; nocase; http_uri; content:"pass="; distance:0; http_uri; content:"pc_name="; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fc2ad7ae3d6d4bd08d77443942ebb7fe219bace7c7beb8e837672da412baca11/analysis/; classtype:trojan-activity; sid:39173; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|PW"; content:"|55 04 07 0C 08|Melekeok"; distance:6; content:"|55 04 0A 0C 0E|Merwh Whena NL"; distance:6; content:"|55 04 03 0C 16|pepa634.omeewengreq.mz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39164; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|BN"; content:"|55 04 07 0C 13|Bandar Seri Begawan"; distance:6; content:"|55 04 0A 0C 12|Cowchi Aromep LTD."; distance:6; content:"|55 04 03 0C 17|tsre131.eollaieefi.jprs"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39163; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|US"; content:"|55 04 08 13 0A|California"; distance:6; content:"|55 04 07 13 0E|Redwood Shores"; distance:6; content:"|55 04 0A 13 14|Oracle America, Inc."; distance:6; content:"|55 04 0B 13 13|Code Signing Bureau"; distance:6; content:"|55 04 03 13 14|Oracle America, Inc."; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/9d54565f8fb7cf50df11bf9745f7efd04a49abb03e85a3aafbf9a5b5fcd065c9/analysis/; classtype:trojan-activity; sid:39160; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|FR"; content:"|55 04 0A 13 0C|assylias.Inc"; distance:6; content:"|55 04 03 13 08|assylias"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/45e8df88b177cec3972f36284290eab652fb21806ef7e9575be853fb30528f28/analysis/; classtype:trojan-activity; sid:39159; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GozNym variant outbound connection"; flow:to_server,established; content:"/index.php?r=site/js&ref="; fast_pattern:only; http_uri; content:"&rnd="; offset:90; http_uri; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/55f9cd6cbed53ccc26d6d570807a18f91d9d8c10db352524df424f356d305a6e/analysis/; classtype:trojan-activity; sid:39322; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FastPOS update request"; flow:to_server,established; content:"/cdosys.php?"; fast_pattern:only; http_uri; content:"update&username="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4542b18e102dea691474d6d4acbc97c80cc14e0949b0c37d9395d4bf1b189306/analysis/; classtype:trojan-activity; sid:39345; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FastPOS status update"; flow:to_server,established; content:"/cdosys.php?"; fast_pattern:only; http_uri; content:"statuslog&log="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4542b18e102dea691474d6d4acbc97c80cc14e0949b0c37d9395d4bf1b189306/analysis/; classtype:trojan-activity; sid:39344; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FastPOS keylog exfiltration"; flow:to_server,established; content:"/cdosys.php?"; fast_pattern:only; http_uri; content:"key&log=TWND"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/4542b18e102dea691474d6d4acbc97c80cc14e0949b0c37d9395d4bf1b189306/analysis/; classtype:trojan-activity; sid:39343; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FastPOS initial outbound connection"; flow:to_server,established; content:"/cdosys.php?"; fast_pattern:only; http_uri; content:"new&username="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4542b18e102dea691474d6d4acbc97c80cc14e0949b0c37d9395d4bf1b189306/analysis/; classtype:trojan-activity; sid:39342; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FastPOS credit card data exfiltration"; flow:to_server,established; content:"/cdosys.php?"; fast_pattern:only; http_uri; content:"add&log="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/4542b18e102dea691474d6d4acbc97c80cc14e0949b0c37d9395d4bf1b189306/analysis/; classtype:trojan-activity; sid:39341; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoRoger outbound POST attempt"; flow:to_server,established; content:"/wp-data.php"; fast_pattern:only; http_uri; content:"pc_id="; http_client_body; content:"ip="; http_client_body; content:"os="; http_client_body; content:"country="; http_client_body; content:"time_start="; http_client_body; content:"work_time="; http_client_body; content:"count="; http_client_body; content:"filesize="; http_client_body; content:"c="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/791f56a48891558c545fc7fc0a18c06aa4704b46bc42892059d2464c2646b785/analysis/1466609832/; classtype:trojan-activity; sid:39327; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lorozoad variant outbound connection"; flow:to_server,established; urilen:>30,norm; content:"/almaciat/"; fast_pattern:only; http_uri; content:".txt"; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e92aeffc99f1add2e005deff36d29063d18048fea0e5f93dbd69d9deca2c24bc/analysis/; classtype:trojan-activity; sid:39369; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/upload/_dispatch.php"; fast_pattern:only; http_uri; urilen:21; content:"x-requested-with: XMLHttpRequest"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/F438A40ED3531511FB14F8066C5312E012E117FBBFDFFC0D5BC1D8E45B8CDC7F/analysis/; classtype:trojan-activity; sid:39360; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Furtim variant outbound connection"; flow:to_server,established; urilen:7; content:"/22.php"; fast_pattern:only; http_uri; content:"Content-type: "; http_header; content:"Content-length: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/014b10de65ceceab0c9006df266e5e57ae1516091e2e16c94c5dbec07038d9d2/analysis/; classtype:trojan-activity; sid:39430; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qbot variant outbound connection"; flow:to_server,established; content:"zwlviewforumogaf.php"; fast_pattern:only; http_uri; content:"Host|3A| a.topgunnphoto.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480/analysis/1463667519/; classtype:trojan-activity; sid:39411; rev:1;)
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection"; flow:to_server,established; content:"=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"=0D=0ABrowser"; content:"=0D=0AWebsite"; within:70; content:"=0D=0AUsername"; within:70; content:"=0D=0APassword"; within:70; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:2;)
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection"; flow:to_server,established; content:"=0D=0A=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"Computer Information"; content:"Username:"; within:30; content:"Installed"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Renos variant outbound connection"; flow:to_server,established; content:"/1wave.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.0)|0D 0A|"; http_header; content:"data="; depth:5; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ba4ef026d2ed2d35b88c0aa6d2dfebdf88982f914e37f016e322037c9a0874df/analysis/; classtype:trojan-activity; sid:39448; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection"; flow:to_server,established; urilen:<124; content:".php?computerid="; fast_pattern:only; http_uri; content:"&private=1"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8e068d74ea9fc87fe2d5bd0394851e69ce5489ff413d6a2a4952c304c9903f71/analysis/; classtype:trojan-activity; sid:39434; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zcryptor variant outbound connection"; flow:to_server,established; urilen:<124; content:".php?computerid="; fast_pattern:only; http_uri; content:"&public=1"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8e068d74ea9fc87fe2d5bd0394851e69ce5489ff413d6a2a4952c304c9903f71/analysis/; classtype:trojan-activity; sid:39433; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Unlock92 outbound connection"; flow:to_server,established; content:"cgi-bin/addcl.pl?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e216b2e3ec82ff4d0f1a60fa36bfbb7653b96f9ae6f0a5cdcf90385f5939e705/analysis/1467816074/; classtype:trojan-activity; sid:39465; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt"; flow:to_server,established; dsize:52; content:"|30 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt"; flow:to_client,established; dsize:36; content:"|20 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection"; flow:to_server,established; dsize:60; content:"|38 00 00 00 F5 13 89 53|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:68; content:"|40 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:60; content:"|38 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection"; flow:to_client,established; dsize:36; content:"|20 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 86 CC 02 89 8F F7 A6 67|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:36; content:"|20 00 00 00 AD|"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:68; content:"|40 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 D7 75 FF F7 C7 62 B9 82|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; dsize:12; content:"|08 00 00 00 27 C7 CC 6B C2 FD 13 0E|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mangit initial outbound connection"; flow:to_server,established; file_data; content:"mErro=DATA"; depth:10; fast_pattern; content:"ABERTURA"; within:50; content:"IP"; within:50; content:"Operacional"; within:50; content:"AVs"; within:200; content:"Navegador"; within:75; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/7367a4762e881cd14c9ccd88ebd90b776f2b9d50fd357cf97fa1b74a3490c14f/analysis/1465917801/; classtype:trojan-activity; sid:39653; rev:1;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kirts variant CNC IRC response attempt"; flow:to_client,established; content:":x.x 332 `|7C|"; fast_pattern:only; content:":x.x 333 `|7C|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8e972ef147b54da29d8d2185cd1c51c11b4bfc44286cae51f39c22f46400eaff/analysis/1468849475/; classtype:trojan-activity; sid:39650; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Ranscam request.html response"; flow:to_client,established; content:"src=|22|http|3A 2F 2F|crypted.site88.net/contactform.htm"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9541fadfa0c779bcbae5f2567f7b163db9384b7ff6d44f525fea3bb2322534de/analysis/; classtype:trojan-activity; sid:39636; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zeus variant inbound connection"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"filename="; http_header; content:"/us.xml"; within:20; fast_pattern; http_header; content:"Content-Type|3A 20|application/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/292c12a4c9cf8724c7bfa9ec73e1b703bd51720ea18cd4528e9be516d05b5628/analysis/1468961317/; classtype:trojan-activity; sid:39705; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/images"; depth:17; http_uri; urilen:>150; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; content:!"Accept:"; http_header; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:"/"; within:25; http_uri; content:".gif"; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3374f144acf7e8f555131019284dfff3e8a1659256b6f672f17d306b9110c6d8/analysis/; classtype:trojan-activity; sid:39686; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tinba variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"|20 2F|"; distance:0; content:"|2F 20|HTTP|2F|1.0"; within:30; content:"Host|3A 20|"; within:8; distance:2; content:"Content-Length: 157|0D 0A|"; http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; content:"|00 80 00 00 00|"; depth:5; offset:24; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e4e1e525c171444cbfff0cc6cd841e369fcf23e50df18d8e07b79ea95a30ca2f/analysis/1468532483/; classtype:trojan-activity; sid:39685; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Xiazai outbound connection"; flow:to_server,established; content:"/api.php?id="; fast_pattern:only; http_uri; content:"qid="; http_uri; content:"rand="; distance:0; http_uri; content:"title="; distance:0; http_uri; content:"t="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/E9FFDB0EA3D9CD388C39330065E2E368231E633EADA0AD358BCB3B5D598ED180/analysis/; classtype:trojan-activity; sid:39730; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trans variant outbound connection"; flow:to_server,established; content:"/site/images/banners/casecor21.gif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a4c1234bb748f9bcabeb9ab990614fd4c1035135c5f5068fd42bace4b75fff0e/analysis/; classtype:trojan-activity; sid:39738; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qarallax initial outbound connection"; flow:to_server,established; content:"/qarallax-lib/bridj/bridj"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0d5785f13649c1ffdcf9d72d3d75ba634dcfe7c4d95ba33c7fb414639992c461/analysis/1470074002/; classtype:trojan-activity; sid:39774; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Alfa outbound connection"; flow:to_server,established; urilen:25; content:".ru|0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; pcre:"/^\x2f\w{24}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/606a9e10404805fd67180adf9bbbf43e74f9c4784ad2d41d825c4e64bfccba85/analysis/; classtype:trojan-activity; sid:39767; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 900 (msg:"MALWARE-CNC Win.Trojan.Spyrat variant outbound connection"; flow:to_server,established; content:"myversion|7C|2.5.2."; depth:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:39801; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"GUID="; depth:122; http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO="; depth:122; http_client_body; content:"IP="; depth:122; http_client_body; content:"TYPE="; depth:122; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48/analysis/1469201551/; classtype:trojan-activity; sid:39800; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Lientchtp variant outbound connection"; flow:to_server,established; content:"/default.aspx?tmp="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (Compatible|3B| MSIE 6.0|3B|Windows NT 5.1)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fe012c0975c0287e4b164efe2b43dd4602bf40686d1e010ffd1023bc7e397fe2/analysis/; classtype:trojan-activity; sid:39785; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.NanHaiShu variant outbound connection"; flow:to_server,established; content:"/common.php"; nocase; http_uri; content:"action=aaa&data="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b0de26080a84ba0b15ea3f471fe6be5392efe770c53dbe5c0a8ed439b05731c6/analysis/; classtype:trojan-activity; sid:39861; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant executable download"; flow:to_server,established; content:"/limbomail"; http_uri; content:".exe"; within:30; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39857; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant executable download"; flow:to_server,established; content:".exe 1.1|0D 0A|User-Agent: "; depth:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39856; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant connectivity check"; flow:to_server,established; content:"POST"; http_method; urilen:8; content:"/autoit3"; fast_pattern:only; http_uri; content:!"Referer: "; http_header; content:!"Accept"; http_header; content:"Host: www.autoitscript.com|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39855; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant connectivity check"; flow:to_server,established; content:"POST"; http_method; urilen:24; content:"/go/flashplayer_support/"; fast_pattern:only; http_uri; content:!"Referer: "; http_header; content:!"Accept"; http_header; content:"Host: www.adobe.com|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39854; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant connectivity check"; flow:to_server,established; content:"POST"; http_method; urilen:18; content:"/support/shockwave"; fast_pattern:only; http_uri; content:!"Referer: "; http_header; content:!"Accept"; http_header; content:"Host: www.adobe.com|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39853; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sharik variant connectivity check"; flow:to_server,established; content:"POST"; http_method; urilen:18; content:"/support/main.html"; fast_pattern:only; http_uri; content:!"Referer: "; http_header; content:!"Accept"; http_header; content:"Host: www.adobe.com|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/505c34a8a4516586d2b7ecacf4082cf62937fe3ad1b85c713d6126fa603081f2/analysis/; classtype:trojan-activity; sid:39852; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vibro outbound connection detected"; flow:to_server,established; content:"/images/karma-autumn/bg-footer-bottom.jpg"; fast_pattern:only; http_uri; content:"ObIpcVG"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0B06282B4F87F0F32CABF34AABD1003905A077BF701B805F15E8042D864ACEF1/analysis/; classtype:trojan-activity; sid:39882; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Toga variant outbound connection"; flow:to_server,established; content:"/install.php"; fast_pattern:only; http_uri; content:"{|22|installer|22 3A|"; nocase; http_client_body; content:"{|22|action|22 3A|"; within:20; nocase; http_client_body; content:"|22|downloadID|22 3A|"; within:30; nocase; http_client_body; content:"|22|installerVersion|22 3A|"; within:50; nocase; http_client_body; content:"|22|os|22 3A|"; within:20; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/131EC876DE25E767F03DE1DFE228E921F58CF25C8906497F9C37A6E814E3233A/analysis/; classtype:trojan-activity; sid:39887; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adnel outbound connection detected"; flow:to_server,established; content:"/wlogo.jpg"; fast_pattern:only; http_uri; content:"H6h6="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/AA676D2C92FC96BE5D6C70FF7E1C9CB57164BF6860A4FD71AFC96CF0E97EE7F8/analysis/; classtype:trojan-activity; sid:39909; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackEnergy outbound connection"; flow:to_server,established; content:"POST|20|/getcfg.php"; content:"id=x"; distance:210; content:"build_id="; within:60; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444/analysis/; classtype:trojan-activity; sid:39931; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Neutrino outbound connection"; flow:to_server,established; content:"/getdata.php"; fast_pattern:only; http_uri; content:"clientid="; http_client_body; content:"clienturl="; http_client_body; content:"templatename="; http_client_body; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; sid:39921; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Neutrino outbound connection"; flow:to_server,established; content:"/getdata.php"; http_uri; content:"clientid="; http_uri; content:"clienturl="; fast_pattern:only; http_uri; content:"templatename="; http_uri; metadata:impact_flag red, policy security-ips drop, service http; classtype:trojan-activity; sid:39920; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger |7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shakti variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/external/update"; fast_pattern:only; http_uri; content:"MSMQ"; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, service http; reference:url,virustotal.com/en/filed6d64c61dada8b5ccfa970356057a6c2c7697f084922744c5a2e29aff079647b/analysis/; classtype:trojan-activity; sid:40027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Madeba outbound connection detected"; flow:to_server,established; content:"/yISVfed/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40016; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:14; content:"/data/info.php"; fast_pattern:only; http_uri; content:"x-requested-with: XMLHttpRequest"; http_header; content:"Referer|3A| http|3A|"; http_header; content:"/data"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f29ce76169727ff5a43ef7baa5c4e04f7d3302189e3d2a31cfc9dec39e84ad03/analysis/; classtype:trojan-activity; sid:40011; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nemim outbound connection detected"; flow:to_server,established; content:"/bin/read_i.php"; fast_pattern:only; http_uri; content:"a1="; nocase; http_uri; content:"a2="; nocase; http_uri; content:"a3="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5A116B4ABBAC55622C6DA389E6A3F485334DCDDE05AFBB9F2F65C63DE8B55DA1/analysis/; classtype:trojan-activity; sid:40007; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Donoff outbound connection detected"; flow:to_server,established; content:"/wp.jpg"; nocase; http_uri; content:"JdTIv="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/D286523C14B40ABC73D2A451843A265E6095500936C57F4AEC362764FE383C13/analysis/; classtype:trojan-activity; sid:39969; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Donoff outbound connection detected"; flow:to_server,established; content:"/newera/walkthisland/greenland.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/D286523C14B40ABC73D2A451843A265E6095500936C57F4AEC362764FE383C13/analysis/; classtype:trojan-activity; sid:39968; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Folyris outbound connection detected"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"a="; nocase; http_client_body; content:"%"; within:5; http_client_body; content:"b="; nocase; http_client_body; content:"c="; nocase; http_client_body; content:"%"; within:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/59BC587065503644E7528C5AD633A01A660C90DAB2C8448CD285DA27BC4F1951/analysis/; classtype:trojan-activity; sid:39958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection"; flow:to_server,established; content:"/falssk/fksgieksi.php"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"username="; depth:500; content:"pcname="; depth:500; content:"aesencrypted="; depth:500; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b/analysis/; classtype:trojan-activity; sid:40045; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Fantom post encryption outbound connection"; flow:to_server,established; content:"/users/Gurudrag/folders/Default/media/9289aabe-7b4a-4c7f-b3bb-bdf3407e7a2f/fantom1.jpg"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b/analysis/; classtype:trojan-activity; sid:40044; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Fantom outbound connection"; flow:to_server,established; content:"/themes/prestashop/cache/stats.php"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b/analysis/; classtype:trojan-activity; sid:40043; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit outbound connection"; flow:to_server,established; content:"/nimda.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/682fa75de9a2c11d5bdc9545ebc914af00921c807be5bb86296321bc55e08c86/analysis/1473171128/; classtype:trojan-activity; sid:40067; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Morel variant inbound connection"; flow:established, to_client; content:"|C0 00|"; depth:2; content:"|00|"; within:1; distance:1; byte_jump:4,4,relative, post_offset -1; isdataat:!1,relative; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f/analysis/; classtype:trojan-activity; sid:40062; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Morel variant outbound connection"; flow:established, to_server; content:"|C0 00|"; depth:2; content:"|00|"; within:1; distance:1; byte_jump:4,4,relative, post_offset -1; isdataat:!1,relative; metadata:impact_flag red; reference:url,www.virustotal.com/en/file/a9152e67f507c9a179bb8478b58e5c71c444a5a39ae3082e04820a0613cd6d9f/analysis/; classtype:trojan-activity; sid:40061; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected"; flow:to_server,established; content:"v="; nocase; http_uri; content:"subver="; nocase; http_uri; content:"pcrc="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/46F379E47B19AD658A1B08A83D322AAE8B480A936B4758DBD6A55202DE5D960D/analysis/; classtype:trojan-activity; sid:40060; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hadsruda outbound connection detected"; flow:to_server,established; content:"/KMPlayer/"; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; content:"c="; nocase; http_uri; content:"t="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/46F379E47B19AD658A1B08A83D322AAE8B480A936B4758DBD6A55202DE5D960D/analysis/; classtype:trojan-activity; sid:40059; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Ogimant outbound connection detected"; flow:to_server,established; content:"data_files="; fast_pattern:only; http_uri; content:"name="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/576e6b9302d4c633133d37b189d4cb0c77f9e10b945ec7ed73c23d830a8a93d9/analysis/; classtype:trojan-activity; sid:40215; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Ogimant outbound connection detected"; flow:to_server,established; content:"/aj.get_bin_domain.pl"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/576e6b9302d4c633133d37b189d4cb0c77f9e10b945ec7ed73c23d830a8a93d9/analysis/; classtype:trojan-activity; sid:40214; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkShell external connection attempt"; flow:to_server,established; content:"/ad1in.htm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7bfdaf8eb794f5180dea83200b3975f230d9b30c13e0f0845ee87be426e3299e/analysis/; classtype:trojan-activity; sid:40213; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1395 (msg:"MALWARE-CNC Win.Trojan.Bulta external connection attempt"; flow:to_server,established; content:"/avlove.exe"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6ff1c09d9069e604b8c5b1d6c48aa2a24aa310c30d0b6dd7c1f5e2fb800bc48e/analysis/; classtype:trojan-activity; sid:40209; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Comisproc outbound connection detected"; flow:to_server,established; content:"/res/s60.v3.php"; fast_pattern:only; http_uri; content:"ckfub="; http_uri; content:"cid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/60e95207b932a0574ab673bd2c3eaf39f3befae1d78730d1ce9d8ddc836f3793/analysis/; classtype:trojan-activity; sid:40207; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Comisproc outbound connection detected"; flow:to_server,established; content:"/pab.php"; fast_pattern:only; http_uri; content:"b="; http_uri; content:"idf="; http_uri; content:"v="; http_uri; content:"o="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/60e95207b932a0574ab673bd2c3eaf39f3befae1d78730d1ce9d8ddc836f3793/analysis/; classtype:trojan-activity; sid:40206; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Comisproc outbound connection detected"; flow:to_server,established; content:"az.php"; fast_pattern:only; http_uri; content:"step="; http_uri; content:"o="; http_uri; content:"id="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/60e95207b932a0574ab673bd2c3eaf39f3befae1d78730d1ce9d8ddc836f3793/analysis/; classtype:trojan-activity; sid:40205; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qiwmonk outbound connection detected"; flow:to_server,established; content:"/youxi/index_1_1.htm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/775c7bd9e820c4dfd0fabdfeade2de901414bd46d2691ea5020a818f6a42eb83/analysis/; classtype:trojan-activity; sid:40204; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Drolnux variant outbound connection"; flow:to_server, established; content:"TWFpbE91IEF0IFRoaXMgQ29tcHV0ZXIgTmFtZSA6"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c726d216e9195b7ac0bb73ff57f2e68bba297b4aac868a5d73743ec617e2d8c7/analysis/; classtype:trojan-activity; sid:40203; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malex variant outbound connection"; flow:to_server,established; content:"/test/lib/md.sys"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b9d5d42b3c68908d326d278d4c03a932754f3dbea903d1b042b4c9900a2ec7a9/analysis/; classtype:trojan-activity; sid:40183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector external connection attempt"; flow:to_server,established; content:"WinHttp.WinHttpRequest.5"; fast_pattern:only; http_header; content:".php?m="; http_uri; content:"h="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/93632d83a1f1f0aaea0ea0b6bf31cf4400cefbfcffb8440c8d906793465fcc70/analysis/; classtype:trojan-activity; sid:40223; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Keylogger.AgentTesla variant outbound connection"; flow:to_server,established; content:"/post.php"; fast_pattern:only; http_uri; content:"type="; nocase; http_client_body; content:"hwid="; nocase; http_client_body; content:"pcname="; nocase; http_client_body; content:"username="; nocase; http_client_body; content:"password="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/db144f38a8f57940fc80cf0dca3e8f722817aacd769511336424f2ad6f231293/analysis/; reference:url,zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting; classtype:trojan-activity; sid:40238; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CeeInject external connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A| no-cache|0D 0A|"; http_header; content:".htm?"; depth:5; offset:2; http_uri; content:!"="; distance:0; http_uri; pcre:"/^\/[a-z]\.htm\?[a-zA-Z0-9]{16}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ae3a86a7338acb6e76442ecd40b473659a3be72c829e6f4bf9c8d8b92424aabd/analysis/; classtype:trojan-activity; sid:40232; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Perseus variant outbound connection"; flow:to_server,established; content:"mashine="; fast_pattern:only; http_client_body; content:"publickey="; http_client_body; content:"user="; http_client_body; content:"os="; http_client_body; content:"processor="; http_client_body; content:"mac="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40252; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.QuantLoader external connection attempt"; flow:to_server,established; content:"/q/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"c="; http_uri; content:"mk="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1e278e78a4261ebd65d2fc9b2d477bb8c19e15a22aea669947b531859cd12216/analysis/; classtype:trojan-activity; sid:40249; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpy variant outbound connection"; flow:to_server,established; content:"/panel/insert"; fast_pattern:only; http_uri; content:"key="; nocase; http_client_body; content:"pcname="; nocase; http_client_body; content:"log="; nocase; http_client_body; content:"Username"; nocase; http_client_body; content:"Password"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:40242; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected"; flow:to_server,established; flowbits:isset,file.macho64le; file_data; content:"ASS7"; content:"|B9 06 0D 22 00 00 00 00 20 14 01 00 20 14 01 00 D0 09 00 00 1D 03 00 00 02 00 00 00 6C 2E B7 FF CF FA ED FE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/23296f664e9d40be3a20f6bb4e5bb328556e0aa0408fb006725f9db72ae4682c/analysis/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40262; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected"; flow:to_client,established; flowbits:isset,file.macho64le; file_data; content:"ASS7"; content:"|B9 06 0D 22 00 00 00 00 20 14 01 00 20 14 01 00 D0 09 00 00 1D 03 00 00 02 00 00 00 6C 2E B7 FF CF FA ED FE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/23296f664e9d40be3a20f6bb4e5bb328556e0aa0408fb006725f9db72ae4682c/analysis/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40261; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt"; flow:to_server,established; content:"/icloudsyncd"; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40260; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected"; flow:to_server,established; flowbits:isset,file.macho64le; file_data; content:"ASS7"; content:"|B9 06 0D 22 00 00 00 00 40 03 01 00 40 03 01 00 D0 09 00 00 22 03 00 00 02 00 00 00 6C 2E B7 FF CF FA ED FE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/8d2bd504125d815339af52558a38f804048a56a213424378af83fd3c0d4c131c/analysis/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40259; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant backdoor detected"; flow:to_client,established; flowbits:isset,file.macho64le; file_data; content:"ASS7"; content:"|B9 06 0D 22 00 00 00 00 40 03 01 00 40 03 01 00 D0 09 00 00 22 03 00 00 02 00 00 00 6C 2E B7 FF CF FA ED FE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/8d2bd504125d815339af52558a38f804048a56a213424378af83fd3c0d4c131c/analysis/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40258; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Philadelphia variant status update outbound connection"; flow:to_server,established; content:"s=Encrypting"; fast_pattern:only; http_uri; content:"p=Ping"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-9th-2016-crypy-crylocker-philadelphia-and-more/; reference:url,www.virustotal.com/en/file/160cb44b1bc8fa8780e558f1aed686fed83d47208a9ec5cb9a3fa1b8b57f9988/analysis/; classtype:trojan-activity; sid:40290; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Philadelphia variant initial outbound connection"; flow:to_server,established; content:"User-Agent: AutoIt"; fast_pattern:only; http_header; content:"ucd="; nocase; http_uri; content:"osinfo="; nocase; http_uri; content:"user="; nocase; http_uri; content:"p="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40289; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poxters external connection"; flow:to_server,established; content:"page="; depth:5; fast_pattern; http_client_body; content:"&opt="; distance:0; http_client_body; content:"&view="; distance:0; http_client_body; content:"&var="; distance:0; http_client_body; content:"&val="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/382b99aec353f9d07eebea4cce588bad18802ec14666d224631f1ceefc69fdfe/analysis/; classtype:trojan-activity; sid:40288; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected"; flow:to_server,established; flowbits:isset,file.macho64le; file_data; content:"/tmp/com.apple.icloudsyncd"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/; classtype:trojan-activity; sid:40311; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant dropper detected"; flow:to_client,established; flowbits:isset,file.macho64le; file_data; content:"/tmp/com.apple.icloudsyncd"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/; classtype:trojan-activity; sid:40310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Randrew variant outbound connection"; flow:to_server, established; content:"/narquad.php?"; fast_pattern:only; http_uri; content:"User-Agent"; nocase; http_header; content:"AutoIt"; within:20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ddcd92dd52d288035c5f14602e9f655989408b56257169221518b861f262cecf/analysis/; classtype:trojan-activity; sid:40309; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Backdoor.MSIL.Kazybot.A botnet server connection attempt"; flow:to_server, established; content:"/kazybot/add.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d2e5d0614b9aded4c4f0398333ec4f90420fbe740d3bd8b56981ef7f73df9658/analysis/; classtype:trojan-activity; sid:40308; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/plat/appdirgame/images/app_ico/AppID"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c1c7293064d5711fcfde17ff62cf1021c6184f5fb8301a09d1ce2d7fe323c3f4/analysis/; classtype:trojan-activity; sid:40334; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"MALWARE-CNC Win.Trojan.Cry variant outbound connection"; flow:to_server,no_stream; content:"|84 A1 76 01 A1 63 C4 14|"; depth:8; detection_filter:track by_src,count 100, seconds 20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40340; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cry variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/upload"; http_uri; content:"r9o2uqc7l1m4mje165k24ikvg2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bartallex outbound connection detected"; flow:to_server,established; content:"rara.txt"; fast_pattern; http_uri; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/1ad1da5b93b59267a6ce72d7613ac1c973fd2c416c44d280351373d059e2879d/analysis/; classtype:trojan-activity; sid:40338; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon"; flow:to_server,established; urilen:1; content:"signature="; nocase; http_client_body; content:"ver="; nocase; http_client_body; content:"gcdata="; fast_pattern:only; http_client_body; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7e60a0d9e9f6a8ad984439da7b3d7f2e2647b0a14581e642e926d5450fe5c4c6/analysis/; classtype:trojan-activity; sid:40433; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marsjoke variant post infection beacon"; flow:to_server,established; urilen:1; content:"live=1|0D 0A|"; fast_pattern:only; http_client_body; content:!"User-agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7e60a0d9e9f6a8ad984439da7b3d7f2e2647b0a14581e642e926d5450fe5c4c6/analysis/; classtype:trojan-activity; sid:40432; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Deshacop variant outbound connection"; flow:to_server,established; content:"/cgi-bin/r_add.pl"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b6c227b53cc592f01a3c3fdae0453afb969066a3fb5490b1dde34457be4da6ca/analysis/; classtype:trojan-activity; sid:40461; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Downloader.Agent file download attempt"; flow:to_server,established; content:"/fr/mso/onedrive"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,virustotal.com/en/file/e9473e7e548cad4614d0da1231755d4e8350028c115615107f218846645a5dc3/analysis/1476116981/; classtype:trojan-activity; sid:40450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/apache_handler.php"; fast_pattern:only; http_uri; content:"x-requested-with: XMLHttpRequest"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fa53964b04cfbbc41129ff8c3422e5049c863982ed415ddab4567ddd702aae04/analysis/; classtype:trojan-activity; sid:40449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent variant outbound connection"; flow:to_server,established; content:"User-Agent"; http_header; content:"WinHttp.WinHttpRequest"; fast_pattern; http_header; content:"/images"; http_uri; content:".php"; within:10; distance:1; http_uri; pcre:"/\x2fimages\d+\x2ephp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4454bc71e652122a15f86e0750a875b7dc0877adcb471f5b887c8bd23bf978a4/analysis/; classtype:trojan-activity; sid:40445; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.Agent variant outbound connection"; flow:to_server,established; content:"User-Agent"; http_header; content:"WinHttp.WinHttpRequest"; fast_pattern; http_header; content:"/apps"; http_uri; content:".php"; within:10; distance:1; http_uri; pcre:"/\x2fapps\d+\x2ephp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/ccbe08990d7208826196ba927bff8f2952bb7d239abf18c5bb8c0c33671acc0c/analysis/; classtype:trojan-activity; sid:40444; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hades outbound connection"; flow:established,to_server; content:"hwid="; depth:5; http_client_body; content:"&tracking_id="; distance:0; http_client_body; content:"&usercomputername="; within:22; http_client_body; content:"&ip="; within:83; http_client_body; content:"&country="; within:24; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/068524c96e6643bcd97d61dd8bc1a0c2b229666ab610f688f1ab96ae4a10c02c/analysis/; classtype:trojan-activity; sid:40467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection"; flow:to_server,established; content:"program="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"b_typ="; fast_pattern; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/eeda68acf62e32b232cedd5d51338e899e217a512c8a255cfda3400e106d5b71/analysis/; classtype:trojan-activity; sid:40466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kapahyku variant outbound connection"; flow:to_server,established; content:"p="; nocase; http_uri; content:"tid="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"b_typ="; fast_pattern; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/eeda68acf62e32b232cedd5d51338e899e217a512c8a255cfda3400e106d5b71/analysis/; classtype:trojan-activity; sid:40465; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8000] (msg:"MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection"; flow:to_server, established; content:"clientmobile:"; fast_pattern:only; nocase; http_header; content:"mobileimsi:"; nocase; http_header; content:"mobileimei:"; nocase; http_header; content:"User-Agent: Apache-HttpClient/UNAVAILABLE"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.anubisnetworks.com/blog/androidbauts-advertising-with-a-bit-more-than-expected; classtype:trojan-activity; sid:40501; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [8088,18001,18088] (msg:"MALWARE-CNC Andr.Tool.Snowfox Androidbauts/snowfox outbound connection"; flow:to_server, established; content:"POST"; depth:4; content:"/sdk/api/"; within:60; fast_pattern; content:"Expect: 100-continue"; content:!"User-Agent:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.anubisnetworks.com/blog/androidbauts-advertising-with-a-bit-more-than-expected; classtype:trojan-activity; sid:40500; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Satana ransomware outbound connection"; flow:to_server,established; content:"/add.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"code="; http_client_body; content:"sdata="; http_client_body; content:"name="; http_client_body; content:"md5="; http_client_body; content:"dlen="; http_client_body; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/1477327210/; classtype:trojan-activity; sid:40541; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/linuxsucks.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/0fae0d66d3df6cdf8ab777d2df6b7ddc07f917d3d89040947d48d3ef7271b699/analysis/; classtype:trojan-activity; sid:40527; rev:2;)
alert tcp any any -> any 23 (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt"; flow:to_server,established; content:"echo -"; content:"e"; within:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40523; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,5555,7547] (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise fingerprinting"; flow:to_server,established; content:"/bin/busybox "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40522; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"arm"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]armv?\d?\w?$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40521; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"sh4"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]sh4$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40520; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"mips"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]mips$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40519; rev:6;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Odinaff C&C"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 03 0C 1C|selfsigned.cloudwaysapps.com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098/analysis/1477342434/; classtype:trojan-activity; sid:40567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpy variant outbound connection"; flow:to_server,established; content:"iSpyKelogger"; fast_pattern:only; http_uri; content:"gate="; http_client_body; content:"token="; distance:0; http_client_body; content:"name="; distance:0; http_client_body; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/11e611585bfb6ff1f823e3c035ef6cfae39dfe2209e15ed01a8db8b3f9526519/analysis/1477417828/; classtype:trojan-activity; sid:40559; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt"; flow:to_server,established; content:"/LetsGo.php?A="; fast_pattern:only; http_uri; content:"Sytem="; http_uri; content:"qual="; http_uri; content:!"Accept"; http_header; content:!"referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40551; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt"; flow:to_server,established; content:"/images/"; fast_pattern:only; http_uri; content:".rar"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40550; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection"; flow:to_server,established; content:"/victim.php?info="; fast_pattern:only; http_uri; content:"&ip="; http_uri; content:"info="; http_uri; content:"User-Agent|3A 20|Python-urllib/"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e/analysis/1477329470/; classtype:trojan-activity; sid:40549; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Redosdru variant outbound connection"; flow:to_server,established; content:"/NetSyst88.dll"; fast_pattern:only; content:"User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3d83997bbb28d6bf468be27471f5d97bc20631a5c2e8a9e73d635f6bf906f743/analysis/; classtype:trojan-activity; sid:40548; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; urilen:>18,norm; content:"Cache-Control"; nocase; http_header; content:"no-cache"; within:20; nocase; http_header; content:!"http"; depth:4; nocase; http_uri; content:".jpg?"; fast_pattern; nocase; http_uri; content:"="; within:8; distance:4; http_uri; pcre:"/\.jpg\x3f[a-f0-9]{4,7}\x3d\d{6,8}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:40606; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/t_100_v400/"; fast_pattern:only; http_uri; content:"rnd="; nocase; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:40605; rev:2;)
alert tcp any any -> any 23 (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise activity"; flow:to_server,established; content:"wget"; fast_pattern:only; content:"curl"; nocase; content:"tftp"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40601; rev:1;)
alert tcp any any -> any 23 (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt"; flow:to_server,established; content:"|5C|177|5C|105|5C|114|5C|106"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40600; rev:1;)
alert tcp any any -> any 23 (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise echo loader attempt"; flow:to_server,established; content:"|5C|x7F|5C|x45|5C|x4C|5C|x46"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40599; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Berbew variant outbound connection"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"vvpupkin0="; fast_pattern:only; nocase; http_client_body; content:"vvpupkin1="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5d613287da418539b8bcb65e03ed9510d044d0a8ebf50d9716784b5836005df0/analysis/; classtype:trojan-activity; sid:40596; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download attempt"; flow:to_server,established; content:"/bins/mirai"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:40612; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant download attempt"; flow:to_server,established; content:"/img/temp/head.png?pr="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f7cada38c0dfcda63c506298972d3a96723d7983266100ee087b5bf486c5480c/analysis/1477669084/; classtype:trojan-activity; sid:40611; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Komplex outbound connection"; flow:to_server, established; content:"User-Agent: kextd (unknown version)"; fast_pattern; http_header; content:"CFNetwork/"; within:20; http_header; content:"Darwin/"; within:20; http_header; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5/analysis/; classtype:trojan-activity; sid:40710; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Komplex outbound connection"; flow:to_server, established; content:"User-Agent: kextd (unknown version)"; fast_pattern; http_header; content:"CFNetwork/"; within:20; http_header; content:"Darwin/"; within:20; http_header; content:"POST"; http_method; pcre:"/(\/[0-9a-z]{1,6}){1,5}\/[0-9a-z]{1,7}(\.zip|\.xml|\.htm|\.pdf)\/\?[0-9a-z]{1,3}=[0-9a-z\/+]*=?=?/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/227b7fe495ad9951aebf0aae3c317c1ac526cdd255953f111341b0b11be3bbc5/analysis/; classtype:trojan-activity; sid:40709; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autoit-73 configuration file download attempt"; flow:to_server, established; content:"/setting.xls"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/31ce41f68808d96898652641ed5ab4ec408d289db4dc1065238b48aa3c151937/analysis/; classtype:trojan-activity; sid:40752; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autoit-73 configuration file download attempt"; flow:to_server, established; content:"/setting.doc"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/31ce41f68808d96898652641ed5ab4ec408d289db4dc1065238b48aa3c151937/analysis/; classtype:trojan-activity; sid:40751; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"point.php"; nocase; content:"GENERAL="; nocase; http_client_body; content:"VERSAO="; nocase; http_client_body; content:"NAVEGADOR="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7629176ec200138dc19d7fc04954d1a1563070f7549522bc25f0f46508971ea0/analysis/; classtype:trojan-activity; sid:40775; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Miuref variant outbound connection"; flow:to_server,established; content:"/7dphr-support/"; fast_pattern:only; http_uri; content:"ref="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fb0db4bcf2ea296937f9eb2dbbd3fa433b3200703a6b74336c3a99f15bf4d406/analysis/; classtype:trojan-activity; sid:40771; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getContacts command response"; flow:to_server,established; content:"send|7C|G|7C 7C|Cont|7C|acts|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40764; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getSMS command response"; flow:to_server,established; content:"|7C|ge|7C|t|7C|SM|7C|S|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40763; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant inbound connection"; flow:to_client,established; content:"Server Prent <please>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40762; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 12421 (msg:"MALWARE-CNC Win.Trojan.Syscan outbound connection"; flow:to_server,established; content:"POST /manual_result"; depth:19; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/31833c4b179c4e4de44932c57debfb6562bb6e833d9fd1415fee6411aacea45b/analysis/; classtype:trojan-activity; sid:40761; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nesxlh variant outbound connection"; flow:to_server,established; content:"/personLog.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/cb98cc92d68aee3c216c9e183189dc7803b0d182883ddaa71d21a6fe2e1de8ac/analysis/; classtype:trojan-activity; sid:40797; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nesxlh variant outbound connection"; flow:to_server,established; content:"/personSettings.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/cb98cc92d68aee3c216c9e183189dc7803b0d182883ddaa71d21a6fe2e1de8ac/analysis/; classtype:trojan-activity; sid:40796; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Nesxlh variant outbound connection"; flow:to_server,established; content:"/commonSettings2.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/cb98cc92d68aee3c216c9e183189dc7803b0d182883ddaa71d21a6fe2e1de8ac/analysis/; classtype:trojan-activity; sid:40795; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Rtf.Trojan.Mauris outbound download attempt"; flow:to_server,established; content:"/hf.db"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f0c53400fd601f197a96b07edc77b70363985ca8f25fb83615d3496032f1eb2c/analysis/1479309350/; classtype:trojan-activity; sid:40812; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [15963,1114,9999,80,81,1177,1100] (msg:"MALWARE-CNC Logbro variant outbound connection"; flow:to_server,established; content:"AW|5C|WORM/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/4caea86e8e2a5ae89c114a3d6cd58ea9e2f1d6000f4ddf1e9de6bec490bed3b1/analysis/; classtype:trojan-activity; sid:40824; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gendwndrop variant outbound connection"; flow:to_server,established; content:"r=site/GCE"; fast_pattern:only; http_uri; content:"|2F 2F|"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2cee41404ca3a8be608cda9343a4c772259ed20fd25af01f35e281f734f896d4/analysis/; classtype:trojan-activity; sid:40823; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/message.php"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|XMLHttpRequest|0D 0A|"; http_header; content:"Referer|3A 20|"; http_header; content:"Accept|3A 20|*/*|0D 0A|Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ab082d6047fb73b9de7ebc59fb12fa1f8c2d547949d4add3b7a573d48172889b/analysis/1479147777/; classtype:trojan-activity; sid:40816; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt"; flow:to_client,established; dsize:23; content:"file_manager_"; depth:13; offset:4; pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40836; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt"; flow:to_client,established; content:"screen_thumb|0D 0A|"; depth:14; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40835; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt"; flow:to_client; dsize:24; content:"silence_screenshot|0D 0A|"; depth:20; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40834; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt"; flow:to_client; content:"screenshot_init|0D 0A|"; depth:17; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40833; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt"; flow:to_client,established; dsize:23; content:"silence_keylogger|0D 0A|"; depth:19; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:40832; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_houdini|0D 0A|"; depth:13; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40831; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"/category/page.php"; http_uri; content:"shinu="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/; classtype:trojan-activity; sid:40906; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/information.cgi"; depth:16; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40910; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; content:!"Accept"; nocase; http_header; content:!"Via"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/af385c983832273390bb8e72a9617e89becff2809a24a3c76646544375f21d14/analysis/; classtype:trojan-activity; sid:41031; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ostap out bound communication attempt"; flow:to_server,established; content:"/ostap.php"; fast_pattern:only; http_uri; content:"/ostap.php"; depth:20; offset:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41089; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt"; flow:to_server,established; content:"/GOLD/bender.php"; http_uri; content:"User-Agent: Mr.White|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41088; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Agent variant compromise download attempt"; flow:to_server,established; file_data; content:"|36 36 30 32 64 30 32 30 65 39 61 62 34 31 31 36 62 65 38 31 33 63 32 32 37 37 38 34 64 61 30 38|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41136; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant compromise download attempt"; flow:to_client,established; content:"|36 36 30 32 64 30 32 30 65 39 61 62 34 31 31 36 62 65 38 31 33 63 32 32 37 37 38 34 64 61 30 38|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41135; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant compromise download attempt"; flow:to_server,established; content:"/eFax/37486.ZIP"; fast_pattern:only; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41134; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant compromise download attempt"; flow:to_client,established; file_data; content:"<?php"; content:"=|27|base|27 2E 28|"; fast_pattern; content:"|5F|de|27 2E 27|code|27|"; content:"str_replace|28 22 5C|n|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e/analysis/; classtype:trojan-activity; sid:41133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant post compromise download attempt"; flow:to_server,established; content:"/port/login.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41180; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant post compromise download attempt"; flow:to_server,established; content:"/network/outlook.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41179; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/port/jp/gate/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41178; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/network/port10/gate/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41177; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/exchange/port10/gate/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41176; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/exchange/owalogon.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41175; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/config/install/gate/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41174; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.August variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/catalog/core/gate/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c432cc99b390b5edbab400dcc322f7872d3176c08869c8e587918753c00e5d4e/analysis/; classtype:trojan-activity; sid:41173; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Js.Trojan.Nemucod variant "; flow:to_client,established; file_data; content:") {return WScript["; fast_pattern; content:"(|22|13"; within:10; distance:5; content:"22"; within:2; distance:1; content:"35"; within:2; distance:1; content:"31"; within:2; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/1baae89b483f02681a6d7f26d00f01f90ef12129ee29b6e7d9709ed3e3969435/analysis/; classtype:trojan-activity; sid:41162; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DragonOK variant outbound connection"; flow:to_server,established; content:"/mus/Sen"; http_uri; content:".asp"; distance:0; nocase; http_uri; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41317; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DragonOK variant outbound connection"; flow:to_server,established; content:"/index.php"; fast_pattern:only; http_uri; content:"type="; nocase; http_uri; content:"id="; nocase; http_uri; content:"pageinfo="; nocase; http_uri; content:"lang="; nocase; http_uri; content:"User-Agent: "; depth:12; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DragonOK variant outbound connection"; flow:to_server,established; content:"/news/Sen"; http_uri; content:".asp"; distance:0; nocase; http_uri; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41315; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"GZIPOK|3A 20|"; fast_pattern:only; http_header; content:"CompGZ|3A 20|"; http_header; content:"ReqType|3A 20|"; http_header; content:".do"; http_uri; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41337; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"time|3A 20|"; fast_pattern:only; http_header; content:"User-Agent|3A 20|HttpEngine"; http_header; content:".do"; http_uri; pcre:"/\.(do|jar)$/Umi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41336; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/checkupdate"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|"; http_header; content:"Referer"; http_header; content:"="; depth:15; http_client_body; content:"%"; within:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/admin.php?f="; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Accept-Language"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41334; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scudy outbound connection"; flow:to_server,established; content:"/online.php?c="; fast_pattern:only; http_uri; content:"&u="; offset:15; http_uri; content:"&p="; distance:1; http_uri; content:"&hi="; distance:1; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f3f7de201ce8dde02ebd33f4eb83a5e7404808f669a7f15a0b6b3cedab878188/analysis; classtype:trojan-activity; sid:41331; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 81|"; depth:5; dsize:5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38 00 00 00 85|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 83|"; depth:5; dsize:<80; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Locky payload download - result"; flow:to_client,established; file_data; content:"Li7KnnQThYEQbX57IV4Zt2yMbO6Htv5FLi7KnnQThYEQbX57IV4Zt2yMbO6Htv5FLi7KnnQThYEQbX57IV4Zt2yMbO6Htv5FLi7KnnQThYEQbX57IV4Zt2yMbO6Htv5F"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/eb38955990abcaaa3d2b248ffb28157c87f8adf7585c1f9d197487c094aea429/analysis/; classtype:trojan-activity; sid:41478; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vibrio file download - 4g3vg334"; flow:to_server,established; content:"/4g3vg334"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/62ce8b7b4f5f5cbc285657fec9958c3395290897a210faa3afdc753babe79f60/analysis; classtype:trojan-activity; sid:41477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky payload download - 987t67g"; flow:to_server,established; content:"/987t67g"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/488270c6262c0ac8510d7152b49510e3a48029a6fc8644d16dcdf39bfb2a3884/analysis/; classtype:trojan-activity; sid:41476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Keylogger.Elite variant outbound connection"; flow:to_server,established; content:"/Mac/getInstallerSpecs/"; fast_pattern:only; http_uri; content:"channel="; nocase; http_uri; content:"info="; nocase; http_uri; content:"enc-info="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41461; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Keylogger.Elite variant outbound connection"; flow:to_server,established; content:"/Mac/getInstallScript/"; fast_pattern:only; http_uri; content:"clickid="; nocase; http_uri; content:"software="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41460; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Keylogger.Elite variant outbound connection"; flow:to_server,established; content:"/tracking/cm_mac.php"; fast_pattern:only; http_uri; content:"clickid="; nocase; http_uri; content:"funnel="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41459; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Keylogger.Elite variant outbound connection"; flow:to_server,established; content:"/read-mip.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/e23cae7189d6ca9c649afc22c638a45fd94f19ef6b585963164cca52c7b80f9b/analysis/; classtype:trojan-activity; sid:41458; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Swf.Tool.Agent flash file in a word document uploading system capabilities"; flow:to_server,established; content:"PT=ActiveX"; fast_pattern:only; http_uri; content:!"Referer|3A 20|"; http_header; content:!"Cookie|3A 20|"; http_header; content:"x-flash-version|3A 20|"; http_header; content:"ACC="; http_uri; content:"DEB="; http_uri; content:"OS="; http_uri; content:"PR32="; http_uri; metadata:impact_flag red, service http; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; reference:url,www.virustotal.com/en/file/ffd5bd7548ab35c97841c31cf83ad2ea5ec02c741560317fc9602a49ce36a763/analysis/; classtype:trojan-activity; sid:41452; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php?"; fast_pattern:only; http_uri; content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|"; http_client_body; content:"|22 3E 20 5B|"; within:12; http_client_body; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"163="; http_client_body; content:"&x="; distance:0; http_client_body; content:"&z="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Ransomware.X-Mas outbound connection"; flow:to_server,established; content:"WebKitFormBoundary"; content:"|20|form-data|3B 20|name=|22|uid|22|"; fast_pattern; content:"|20|form-data|3B 20|name=|22|uname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|cname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|ltime|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|uright|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|sysinfo|22|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41442; rev:2;)
alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"MALWARE-CNC Dos.Tool.LOIC variant IRC command detected"; flow:established,to_client; content:"!lazor"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,github.com/NewEraCracker/LOIC; classtype:trojan-activity; sid:41439; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oilrig variant outbound connection"; flow:to_server,established; content:"/index.aspx?id="; fast_pattern:only; http_uri; content:"/index.aspx?id="; depth:15; http_raw_uri; content:"%5Cb"; within:14; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/40182c3b3c556f89a997a88af72292840a8527fb51beee03edde674cd7abcdd4/analysis/; classtype:trojan-activity; sid:41438; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oilrig variant outbound connection"; flow:to_server,established; content:"/index.aspx?id="; fast_pattern:only; http_uri; content:"/index.aspx?id="; depth:15; http_raw_uri; content:"%5Cu"; within:14; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/40182c3b3c556f89a997a88af72292840a8527fb51beee03edde674cd7abcdd4/analysis/; classtype:trojan-activity; sid:41437; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oilrig variant outbound connection"; flow:to_server,established; content:"/index.aspx?id="; fast_pattern:only; http_uri; content:"/index.aspx?id="; depth:15; http_raw_uri; content:"%5Cd"; within:14; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/40182c3b3c556f89a997a88af72292840a8527fb51beee03edde674cd7abcdd4/analysis/; classtype:trojan-activity; sid:41436; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oilrig variant outbound connection"; flow:to_server,established; content:"User-Agent: Microsoft BITS/7.7"; fast_pattern:only; http_header; content:"Referer: https://www.google.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/a367ccb9ca5a958d012e94ae8122feda9a1a7f23a0c84e2bc5ee35c834900b61/analysis/; classtype:trojan-activity; sid:41435; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oilrig variant outbound connection"; flow:to_server,established; content:"/update-index.aspx?req="; depth:23; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8cb80ac1f955bac9ccf67e843ddc15322b4aa70e8c98269a8a98a02df4cbd8b7/analysis/; classtype:trojan-activity; sid:41434; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cerber outbound connection"; flow:to_server, established; content:"Referer: file://C:|5C|"; nocase; http_header; content:".hta|0D 0A|"; distance:1; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1170; reference:url,www.virustotal.com/file/a6b00feeecee72f12843885a76919bc6049c644bcb63c0dce5ba4492443cd90c/analysis/; classtype:trojan-activity; sid:41424; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt"; flow:to_client,established; content:"Set-Cookie|3A 20|mediaplanBAK|3D|"; fast_pattern:only; content:"Set-Cookie|3A 20|mediaplan|3D|"; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/571a7014d1ee4e359e7eb5d2c7b3e6c527f4fcef322781f1c56a1b5bf28c8eb2/analysis/1485884599/; classtype:trojan-activity; sid:41498; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; urilen:14; content:"/sam/index.php"; fast_pattern:only; http_uri; content:!"Accept: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/dbdea08e7b970d395236b8e0aada6fc07fb23e6181485d86f65da1e73ab2ba2e/analysis/; classtype:trojan-activity; sid:41540; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MagicHound variant outbound connection"; flow:to_server,established; content:"/WebService.asmx"; nocase; http_uri; content:"SOAPAction|3A|"; nocase; http_header; content:"SetLog2"; distance:0; nocase; http_header; content:"<SetLog2"; fast_pattern:only; http_client_body; content:"<mac"; nocase; http_client_body; content:"<host"; nocase; http_client_body; content:"<pass"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce/analysis/; classtype:trojan-activity; sid:41657; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; urilen:<60; content:"_put.jpg"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; pcre:"/\x2F[0-9A-F]{8,10}_put\.jpg$/Uim"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41687; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; content:"/news2/news_dir/index.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41686; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; content:"/images/banners/temp/index.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41685; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; content:"/bbs/data/image/work/webproxy.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41684; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; content:"/admin/data/bbs/review2/board/index.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41683; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Malear variant outbound connection"; flow:to_server,established; content:"/admin/data/bbs/review2/board/123.php"; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/281828d6f5bd377f91c6283c34896d0483b08ac2167d34e981fbea871893c919/analysis/; classtype:trojan-activity; sid:41682; rev:1;)
alert tcp $EXTERNAL_NET [4431,4432,4433] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|55 04 08 0C 0E|Ckeidet airop"; fast_pattern:only; content:"|55 04 03 0C 1E|huraroparmqus.bivess7hanare.si"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c/analysis/; classtype:trojan-activity; sid:41676; rev:1;)
alert tcp $EXTERNAL_NET [4431,4432,4433] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|55 04 08 0C 0F|Mamsugt mantyn11"; fast_pattern:only; content:"|55 04 03 0C 1B|Dyingerecer.pedrdfinteek.tr0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/103a9e26e8d69cbbde4e871dd6cb1b0ee863a8265746aa7d77cd1106025c2d7c/analysis/; classtype:trojan-activity; sid:41675; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"MALWARE-CNC Win.Trojan.Mirai variant outbound connection"; flow:to_server,established; urilen:8; content:"/ups.rar"; http_uri; content:!"Referer|3A 20|"; http_header; content:!"Cookie|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,vms.drweb.com/virus/?_is=1&i=14934685; reference:url,www.virustotal.com/en/file/4856706c088f66965d714fe09af22ee56d84483278582ff3dd8f98bc3c5862ab/; classtype:trojan-activity; sid:41665; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downloader.MacDownloader variant outbound connection"; flow:to_server,established; urilen:14; content:"/Servermac.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41663; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downloader.MacDownloader variant outbound connection"; flow:to_server,established; content:"SKeychain.zip"; fast_pattern:only; http_uri; content:"p1="; http_uri; content:"filename="; http_uri; content:"data="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41662; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downloader.MacDownloader variant outbound connection"; flow:to_server,established; content:"SKeychain.zip"; fast_pattern:only; http_client_body; content:"p1="; http_client_body; content:"filename="; http_client_body; content:"data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41661; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Houdini backdoor file download request"; flow:to_server,established; content:"/ChromeSetup.bat"; fast_pattern:only; http_uri; content:"User-Agent|3A| Microsoft BITS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_slave|0D 0A|"; depth:11; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41711; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Winwrapper outbound connection"; flow:to_server,established; content:"/advplatform/api.cgi?"; fast_pattern:only; nocase; http_uri; content:"act="; nocase; http_uri; content:"&appid"; distance:0; nocase; http_uri; content:"&pnid"; distance:0; nocase; http_uri; content:"&proto"; distance:0; nocase; http_uri; content:"WinWrapper"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/77b9f24a454183f76364e1d3312b5801042e55423e372f9600cfc4096eb50a4e/analysis/; classtype:trojan-activity; sid:41702; rev:1;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PowerMacro DNS query response"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 10 00 01 00 00 00 01|"; distance:0; content:"|7C|"; within:1; distance:4; content:"|7C|"; within:1; distance:1; content:"|7C|"; within:1; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/49e50e340bf9853d39d8b4d626530b234abfb15e620a39cf3d76ef844d5f540a/analysis/; classtype:trojan-activity; sid:41789; rev:1;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PowerMacro DNS query response"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:4; content:"|00 10 00 01 00 00 00 01|"; distance:0; byte_test:2,>,200,0,relative; content:"@"; within:1; distance:3; pcre:"/\x00\x10\x00\x01\x00\x00\x00\x01.{3}\x40[a-z0-9\x2b\x2f]+\x40$/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/49e50e340bf9853d39d8b4d626530b234abfb15e620a39cf3d76ef844d5f540a/analysis/; classtype:trojan-activity; sid:41788; rev:1;)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PowerMacro TCP DNS query response"; flow:to_client,established; byte_test:1,&,0x80,4; content:"|00 01 00 01 00 00 00 00|"; depth:8; offset:6; content:"|00 10 00 01 00 00 00|"; distance:0; byte_test:2,>,200,1,relative; content:"|24|e|3D 27|"; within:4; distance:4; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/49e50e340bf9853d39d8b4d626530b234abfb15e620a39cf3d76ef844d5f540a/analysis/; classtype:trojan-activity; sid:41787; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ratankba variant outbound connection"; flow:to_server,established; content:"/View.jsp"; fast_pattern:only; http_uri; content:"action="; nocase; http_uri; content:"u="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7c77ec259162872bf9ab18f6754e0e844157b31b32b4a746484f444b9f9a3836/analysis/; classtype:trojan-activity; sid:41780; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/pilot/api"; fast_pattern:only; http_uri; content:"User-Agent|3A| Apache-HttpClient"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42031; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant file download attempt"; flow:to_server,established; content:"/file/"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"Accept-Encoding|3A| identity"; http_header; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42030; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant file download attempt"; flow:to_server,established; content:"/admin201506/uploadApkFile"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42029; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant file download attempt"; flow:to_server,established; content:"/elfdown/"; depth:9; http_uri; urilen:>23,norm; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42028; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/root/put"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42027; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/sm/sr/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42026; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/gcview/api"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42025; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/qmsg/api"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42024; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/pmsg/api"; fast_pattern:only; http_uri; content:"User-Agent|3A| Apache-HttpClient"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42023; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 18080 (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| HTTP GET/1.0"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42022; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/wroot/v3"; fast_pattern:only; http_uri; content:".do"; http_uri; content:"uuid="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42021; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; content:"Host: mbfce24rgn65bx3g."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c1c31129a39441607c060a7da57855d3969cf47ce4119cda9beaf65b63faca60/analysis/; classtype:trojan-activity; sid:42059; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Downeks variant initial outbound connection"; flow:to_server,established; content:"sGryWZwgElaAor9PesTf2xVTd0LWfDx6"; fast_pattern:only; http_client_body; content:"Content-Length|3A| 728"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740/analysis/; classtype:trojan-activity; sid:42083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Jenxcus outbound POST request attempt"; flow:to_server,established; content:"User-Agent:"; depth:200; nocase; content:"POST /im-azerty HTTP/1.1"; depth:30; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/DF7A4ED22BE71C4C2C993413E90FC5C9734672B3D3D8938B8A31E89A26D92305/analysis/; classtype:trojan-activity; sid:42081; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent"; flow:to_server,established; content:"User-Agent:"; depth:200; nocase; content:"<|7C|>"; within:30; distance:1; content:"<|7C|>false - "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/DF7A4ED22BE71C4C2C993413E90FC5C9734672B3D3D8938B8A31E89A26D92305/analysis/; classtype:trojan-activity; sid:42080; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Jenxcus outbound connection with unique User-Agent"; flow:to_server,established; content:"User-Agent:"; depth:200; nocase; content:"<|7C|>"; within:30; distance:1; content:"<|7C|>true - "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/DF7A4ED22BE71C4C2C993413E90FC5C9734672B3D3D8938B8A31E89A26D92305/analysis/; classtype:trojan-activity; sid:42079; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Winpud encoded payload download attempt"; flow:to_server,established; file_data; content:"sfrayHOwwTJJldvrSHHJCMQTtviXQh7AoqTA0n0wduhTROgrvdomW40F1cejuz75G"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7b726bff91d41da540b37b9f706643b4249baa9a27d4c12f0122f69615344160/analysis/; reference:url,virustotal.com/en/file/a9758e120f0f7703743e006b9e2d3dcf7f50d8c6d34bbbb0dab6bcd6ae7568e3/analysis/; classtype:trojan-activity; sid:42099; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Winpud encoded payload download attempt"; flow:to_client,established; file_data; content:"sfrayHOwwTJJldvrSHHJCMQTtviXQh7AoqTA0n0wduhTROgrvdomW40F1cejuz75G"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7b726bff91d41da540b37b9f706643b4249baa9a27d4c12f0122f69615344160/analysis/; reference:url,virustotal.com/en/file/a9758e120f0f7703743e006b9e2d3dcf7f50d8c6d34bbbb0dab6bcd6ae7568e3/analysis/; classtype:trojan-activity; sid:42098; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [23,2323,5555,7547] (msg:"MALWARE-CNC Unix.Trojan.Mirai variant new bot registered"; flow:to_server,established; stream_size:client,=,5; content:"|00 00 00 01|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:42114; rev:1;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_client,established; flowbits:isset,trojan.mirai; file_data; content:"|7F|ELF"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/22b45a675883c392e3ef271c53ec875a0a69e393a391f7aff6ff2d6809cd035f/analysis/; classtype:trojan-activity; sid:42113; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Acronym variant outbound connection"; flow:to_server,established; content:"/acr/update.php"; fast_pattern:only; http_uri; urilen:15; content:"="; depth:1; offset:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4a91289e99d3597f4c9e54a3d1d311dfb66aa92fd476463834e4d1f8df651762/analysis/; classtype:trojan-activity; sid:42126; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| WinHttpClient"; fast_pattern:only; http_header; content:"//Home/"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42128; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Downloader.Agent variant certificate negotiation"; flow:to_client,established; content:"|55 04 0A 0C 03|Dis"; fast_pattern:only; content:"|55 04 08 0C 06|Denial1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fda3ed4522d98aee5b2bfed624c7a27a27dfa5eaf501673c6b0087b5994a5609/analysis/; classtype:trojan-activity; sid:42172; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Agent variant outbound connection"; flow:to_server,established; content:"?showforum="; fast_pattern:only; http_uri; content:"/file/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fda3ed4522d98aee5b2bfed624c7a27a27dfa5eaf501673c6b0087b5994a5609/analysis/; classtype:trojan-activity; sid:42171; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dimnie outbound connection"; flow:to_server,established; content:"Host: toolbarqueries.google.com"; fast_pattern:only; http_header; content:"User-Agent: Opera/9.80 (Windows NT 6.1|3B| WOW64) Presto/2.12.388 Version/12.15"; http_header; content:"Accept-Language: ru-RU,ru|3B|q=0.9,en|3B|q=0.8"; http_header; content:"ch="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7d8ec31d9d98802e9b1ebc49c4b300fa901934b3d2d602fa36cc5d7c5d24b3bc/analysis/; classtype:trojan-activity; sid:42243; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Dimnie file download attempt"; flow:to_server,established; content:"/wp-content/margin2601_onechat_word.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6b9af3290723f081e090cd29113c8755696dca88f06d072dd75bf5560ca9408e/analysis/; classtype:trojan-activity; sid:42242; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 799 (msg:"MALWARE-CNC Win.Trojan.Mikcer variant outbound connection"; flow:to_server,established; content:"/cj"; depth:3; offset:4; content:"/k1.rar HTTP/1.1|0D 0A|"; within:19; fast_pattern; content:!"Referer|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b72f47440e43b5c468c04e4d54a95a66c541b33df7a8d745689eb01ae0754583/analysis/; classtype:trojan-activity; sid:42233; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DocumentCrypt variant outbound connection"; flow:to_server,established; content:"/supersubs.php"; fast_pattern:only; http_uri; content:"guid="; http_client_body; content:"ver="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e6591a9389c7b82d59949b8c5660e773b86dff1fa3909f780cb8c88bbc85646c/analysis/; classtype:trojan-activity; sid:42228; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:established,to_server; dsize:12; content:"|7A 8D 9B DC|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42225; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuaibu outbound file download attempt"; flow:to_server,established; content:"/iniuser/"; fast_pattern:only; http_uri; content:".ini"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/005dce6a8cec1d41513239517f1fae32bf2dbaba6bf6b4b8149c0510a889bf2e/analysis; reference:url,virustotal.com/en/file/2935d99dafcbb49851c6737d9723a34c8bcaeca6e8697a1d816055ab6e1421f2/analysis; classtype:trojan-activity; sid:42303; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuaibu outbound connection"; flow:to_server,established; content:"/server/server.txt"; fast_pattern:only; http_uri; urilen:18; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/005dce6a8cec1d41513239517f1fae32bf2dbaba6bf6b4b8149c0510a889bf2e/analysis; reference:url,virustotal.com/en/file/2935d99dafcbb49851c6737d9723a34c8bcaeca6e8697a1d816055ab6e1421f2/analysis; classtype:trojan-activity; sid:42302; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kuaibu inbound server configuration response"; flow:to_client,established; file_data; content:"|0A|kuaibu"; content:"|3D|"; within:2; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/005dce6a8cec1d41513239517f1fae32bf2dbaba6bf6b4b8149c0510a889bf2e/analysis; reference:url,virustotal.com/en/file/2935d99dafcbb49851c6737d9723a34c8bcaeca6e8697a1d816055ab6e1421f2/analysis; classtype:trojan-activity; sid:42301; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.QQPass variant outbound connection"; flow:to_server,established; urilen:21; content:"Accept-Language|3A 20|zh-cn|0D 0A|"; fast_pattern:only; http_header; content:".png"; http_uri; content:"Referer: "; http_header; content:".png|0D 0A|"; within:50; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/167de5d0edcbfb54a65deed0dc9059088e45a6009d74afe2a6df33c4d7c9a73e/analysis/; classtype:trojan-activity; sid:42348; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|41 00|"; within:2; distance:21; content:"|0E 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:29; flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:6;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|42 00|"; within:2; distance:21; content:"|0E 00|"; within:2; distance:29; content:!"|00 00|"; within:2; flowbits:set,smb.trans2.mid66; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1055; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:4;)
alert tcp $HOME_NET 445 -> any any (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response"; flow:to_client,established; flowbits:isset,smb.trans2.mid66; content:"|FF|SMB|32 02 00 00 C0|"; depth:9; offset:4; content:"|52 00 00 00 00|"; within:5; distance:21; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42330; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response"; flow:to_client,established; flowbits:isset,smb.trans2.mid65; content:"|FF|SMB|32 02 00 00 C0|"; depth:9; offset:4; content:"|51 00 00 00 00|"; within:5; distance:21; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42329; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:to_server,established; content:"856"; depth:3; offset:1; content:"856|9A F3 EC 89|"; within:7; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42398; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Oddjob outbound connection"; flow:to_server,established; urilen:80<>120; content:"HEAD"; http_method; content:"User-Agent: Microsoft BITS"; fast_pattern:only; http_header; content:"Accept-Encoding: identity"; nocase; http_header; pcre:"/\x2f[A-Z0-9\x3d\x2d\x2b\x2e\x20]{80,120}\x20/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/7c5bf83dfbd95b4d469cb54f292354d8f4f6b28bd77538b5876d1915c6542a1b/analysis/; classtype:trojan-activity; sid:42395; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Moarider variant outbound connection"; flow:to_server,established; urilen:7; content:"/aa.txt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f9a5b18e4da82b462e2f5243423506b176cff9849a79805b0853085bce4fcb7a/analysis/; classtype:trojan-activity; sid:42391; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Moarider variant outbound connection"; flow:to_server,established; content:"/aa.txt"; fast_pattern:only; http_uri; content:"/glp?"; http_uri; content:"rw="; http_uri; content:"rh="; http_uri; content:"ww="; http_uri; content:"wh="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f9a5b18e4da82b462e2f5243423506b176cff9849a79805b0853085bce4fcb7a/analysis/; classtype:trojan-activity; sid:42390; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 799 (msg:"MALWARE-CNC Win.Trojan.Mikcer variant outbound connection"; flow:to_server,established; content:"|0D 0A|Host|3A| ddos."; fast_pattern:only; content:!"Referer|3A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/b72f47440e43b5c468c04e4d54a95a66c541b33df7a8d745689eb01ae0754583/analysis/; classtype:trojan-activity; sid:42386; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,$HTTP_PORTS] (msg:"MALWARE-CNC Win.Trojan.Moonwind outbound connection"; flow:to_server; content:"EMSG"; depth:4; nocase; content:"</Msg"; distance:0; nocase; isdataat:10,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c/analysis/; classtype:trojan-activity; sid:42385; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.ChChes set cookie tag inbound connection"; flow:to_client,established; content:"Set-Cookie|3A| tag="; fast_pattern:only; pcre:"/Set-Cookie\x3A\x20tag\x3D[a-f0-9]{16}\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910/analysis/; classtype:trojan-activity; sid:42425; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cerber variant inbound connection attempt"; flow:to_client,established; content:"Content-Type|3A 20|application/vnd.ms-excel"; fast_pattern:only; http_header; file_data; content:"MZ|90 00|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,isc.sans.edu/forums/diary/Blank+Slate+malspam+still+pushing+Cerber+ransomware/22215/; classtype:trojan-activity; sid:42421; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Frethog variant inbound connection attempt"; flow:to_client,established; file_data; content:"|5B|ParentProcess|5D|"; fast_pattern:only; content:"|5B|VIPBlack|5D|"; content:"|5B|SafeUrl|5D|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e09a8c28c426b894fcff5c1102570fa6a5cfdbce5d9202f6322262fe8143ab6b/analysis/; classtype:trojan-activity; sid:42453; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Frethog variant outbound connection"; flow:to_server,established; urilen:10; content:"lock2.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/e09a8c28c426b894fcff5c1102570fa6a5cfdbce5d9202f6322262fe8143ab6b/analysis/; classtype:trojan-activity; sid:42452; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Batlopma variant outbound connection"; flow:to_server,established; content:"User-Agent: InetURL:/1.0|0D 0A|"; fast_pattern:only; http_header; content:"/notify.php"; nocase; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/63dc515aa44a48a31191b8f905b40ce8883bc864d4784a0bf84edf102ddffaf3/analysis/; classtype:trojan-activity; sid:42447; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Axespec outbound request"; flow:to_server,established; content:"Content-Length: 94"; fast_pattern:only; http_header; content:!"User-Agent"; http_header; content:"s|00|v|00|c|00|h|00|o|00|s|00|t|00|.|00|e|00|x|00|e"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/28246917120592354D179C217E2B2DDA4756A6D9E9D62128F91FE2F5121F4509/analysis/; reference:url,virustotal.com/en/file/2DAB230CFD0F57D6C2CB2ECF1EBFD3C065D0C36F07F1EA60E56066844BB742F4/analysis/; classtype:trojan-activity; sid:42439; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; http_header; content:"=Ev al "; http_client_body; content:"If+IsNumeric"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42837; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=edoced_46esab"; fast_pattern:only; http_client_body; content:"z0="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"z9=base64%5fdecode"; fast_pattern:only; http_client_body; content:"=%40eval"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42834; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kasperagent outbound connection detected"; flow:to_server,established; content:"devd="; http_client_body; content:"&acc="; within:200; http_client_body; content:"&filenam="; within:50; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a52d3e65fe5bbf57bab79b1c5092b66d9650247249b72f667a927f266d09efe6/analysis/; classtype:trojan-activity; sid:42833; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Jaff ransomware outbound connection"; flow:to_server,established; urilen:7; content:"/77g643"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:42899; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/cheditor/cheditor.php"; fast_pattern:only; http_uri; content:"topic"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/71e55fd93bdba0cf2e348b83cea2cd3d44f7d29924abeab77e7599bcd8999dee/analysis/; classtype:trojan-activity; sid:42895; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; urilen:>175; content:"/images/"; depth:20; fast_pattern; http_uri; content:"_2B"; http_uri; content:!"Accept|3A|"; http_header; content:!"Referer|3A|"; http_header; pcre:"/\x2Fimages\x2F[0-9a-zA-Z_\x2F]*?\x2E(avi|bmp|gif)/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d137ee63561a123edc51a1d23ce74a18ee094a872b0b9151606934ad12701c05/analysis/; classtype:trojan-activity; sid:42894; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Trojan.SpikeA outbound connection"; flow:to_server,established; content:"INFO"; depth:4; nocase; content:"|25 7C|"; within:7; distance:1; content:"Mbps"; within:10; distance:2; nocase; isdataat:!1,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/7940252cc9dfd627c63663f0e9613235ec261b2f55c6a248b9d0b9c4677f2800/analysis/; classtype:trojan-activity; sid:42892; rev:2;)
alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WashingTon ssl certificate negotiation attempt"; flow:to_server,established; content:"WashingTon"; fast_pattern:only; content:"WebMaster@Microsoft.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection"; flow:established,to_server; content:"/logon.aspx?Id="; fast_pattern:only; http_uri; content:"Cookie|3A 20|SessionData="; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42884; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt"; flow:established,to_server; content:"/mm.jpg"; depth:7; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (compatible"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42883; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZoxPNG initial outbound connection"; flow:established, to_server; content:"/search?q=Google&go=&qs=n&form="; fast_pattern:only; http_uri; content:"pq=google&sc=8-1&sp=-1&sk="; http_uri; content:"Cookie|3A 20|SESSIONID="; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42882; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:to_server,established; content:"/JP-ja/js?"; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42881; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:established,to_server; content:"Connect.php?id="; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42880; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Niramdat variant initial outbound connection"; flow:established,to_server; content:"/tmp/gw.php"; fast_pattern:only; http_uri; content:"e=1&c="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/dbd135d59328d9c31fe1151668180c2b90ba4653e3739045db800f8850e150c6/analysis/; classtype:trojan-activity; sid:42929; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Keylogger.Scanbox outbound connection"; flow:to_server,established; content:"/file/i/d.php?"; fast_pattern:only; http_uri; content:"=="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/cec9564a7d6308a06b629618c800255f9b92c7055c7a6f854d93ddcf379a849f/analysis/; classtype:trojan-activity; sid:42926; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Keylogger.Scanbox outbound connection"; flow:to_server,established; content:"/file/i/recv.php"; fast_pattern:only; http_uri; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/cec9564a7d6308a06b629618c800255f9b92c7055c7a6f854d93ddcf379a849f/analysis/; classtype:trojan-activity; sid:42925; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Trojan.Backdoor inbound connection attempt"; flow:to_server,established; dsize:6; content:"|B5 A4 6F CE 21 66|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/october/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/; classtype:trojan-activity; sid:43754; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackEnergy outbound connection"; flow:to_server,established; content:"/stat.php"; fast_pattern:only; content:"id="; nocase; content:"&build_id="; within:50; nocase; pcre:"/id=x[0-9a-z]*?_[0-9a-z]*?&build_id=[0-9]{4}/i"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/bc062acda428f55782710f9c4f2df88c26dfbc004b94b479459f8572b1219444/analysis/; classtype:trojan-activity; sid:43597; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.DroidKungFu outbound connection"; flow:to_server,established; content:"/ad/nadp.php"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,virustotal.com/en/file/93bc7cae3dc7ecafb01a9d136a7d24e280673f7dde1b30f545e1fe2646e8a66c/analysis/; classtype:trojan-activity; sid:43578; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32.Trojan.NeutrinoPOS connection attempt"; flow:established,to_server; content:"POST"; http_method; content:"/newfiz29/logout.php"; http_uri; content:"auth=bc00595440e801f8a5d2a2ad13b9791b"; http_cookie; content:"|5F 77 76 3D 5A 57 35 30 5A 58 49 3D|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/433dade02cd1f41baaa5fff548c1ddce997735f90d8edeab7a7b03b028dc1836/analysis/; classtype:trojan-activity; sid:43575; rev:1;)
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected"; flow:to_server; content:"|61 63 3E 48 0C 63 42 51 36 35 4A 29 40 03 00 6F 23 44 39 34 4A 39 52 73 2E 77 5C 77 40 78 2F 24 4C 7F 64 06 24 2B 01 09 31 22 61 44 40 62|"; fast_pattern:only; metadata:impact_flag red; reference:url,virustotal.com/en/file/2de77eb026e19a592590c3fde6599884d739a8f160ab4d2d78d14e993deda2aa/analysis/; classtype:trojan-activity; sid:43527; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Deltasource variant outbound connection detected"; flow:to_server,established; content:"|61 63 3E 48 0C 63 42 51 36 35 4A 29 40 03 00 6F 23 44 39 34 4A 39 52 73 2E 77 5C 77 40 78 2F 24 4C 7F 64 06 24 2B 01 09 31 22 61 44 40 62|"; fast_pattern:only; metadata:impact_flag red; reference:url,virustotal.com/en/file/2de77eb026e19a592590c3fde6599884d739a8f160ab4d2d78d14e993deda2aa/analysis/; classtype:trojan-activity; sid:43526; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Donvibs variant outbound connection"; flow:to_server,established; content:"compatible|3B| MSIE 6.5|3B| Windows NT 5.5"; fast_pattern:only; http_header; urilen:5<>10; content:"Accept: */*|0D 0A|"; http_header; content:!"Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0A6D9E6BBBDAA4536DA8B1D83CEC607ED5EC4CBD4E95F8B9BCFA2A1FF24A929D/analysis/; classtype:trojan-activity; sid:43524; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Donvibs variant outbound connection"; flow:to_server,established; content:"WinHttp.WinHttpRequest.5"; fast_pattern:only; http_header; urilen:6<>10; content:"GET"; http_method; content:"Accept: */*|0D 0A|User-Agent:"; http_header; content:!"Referer|3A|"; http_header; content:!"Via|3A|"; http_header; content:!"Content-Type|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/0A6D9E6BBBDAA4536DA8B1D83CEC607ED5EC4CBD4E95F8B9BCFA2A1FF24A929D/analysis/; classtype:trojan-activity; sid:43523; rev:4;)
# alert tcp $EXTERNAL_NET 31 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.AgentInfo variant outbound connection"; flow:to_client,established; content:"AgentInfo 002 Beta 8."; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:43478; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected"; flow:to_server,established; urilen:<19; content:"/read.php?f="; fast_pattern:only; http_uri; pcre:"/f=(\d{1,3}|\d\.(jpg|dat|exe))$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4b6536616daaede6291ac779951e3bcc1819c75c0bc77704e0219ab0245aca19/analysis/; classtype:trojan-activity; sid:43477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected"; flow:to_server,established; urilen:<19; content:"/admin.php?f="; fast_pattern:only; http_uri; pcre:"/f=(\d{1,3}|\d\.(jpg|dat|exe))$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f2841ad7f1b870222ea46b00e1cef07f828af189c15ce270d8a2ec58c86ce8e7/analysis/; classtype:trojan-activity; sid:43476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Agent ransomware downloader outbound connection detected"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"Host|3A|"; depth:5; http_header; content:"|0D 0A|Connection|3A|"; within:75; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d731129990031b694ec04177927dc37bb19814b216b86f0005ecdd9049a7e5b5/analysis/; classtype:trojan-activity; sid:43475; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fireball variant outbound connection"; flow:to_server,established; content:"/v4/service"; fast_pattern:only; http_uri; content:"action=visit"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f964a4b95d5c518fd56f06044af39a146d84b801d9472e022de4c929a5b8fdcc/analysis/; classtype:trojan-activity; sid:43468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fireball variant outbound connection"; flow:to_server,established; content:"reqs=visit|2E|"; fast_pattern:only; http_uri; content:"/provide?clients="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e3f69a1fb6fcaf9fd93386b6ba1d86731cd9e5648f7cff5242763188129cd158/analysis/; classtype:trojan-activity; sid:43467; rev:1;)
alert tcp $HOME_NET 445 -> any any (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response"; flow:to_client,established; flowbits:isset,smb.session_setup_subcommand; content:"|FF|SMB2|02 00 00 C0|"; depth:9; offset:4; isdataat:13,relative; content:!"|00 00 00 00 00 00 00 00|"; within:8; distance:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:43459; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eorezo variant outbound connection"; flow:to_server,established; content:"/cgi-bin/advert/get"; fast_pattern:only; http_uri; content:"did="; http_uri; content:"X-OS-Ver:"; http_header; content:"X-Guuid:"; http_header; pcre:"/^User-Agent: [a-z]+_[a-z]+_\d{3,9}-/Hm"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/00A87AEF3CC1F82F4D2209A4042FC9BCD8ED433B139185C52550FEF9857F6F25/analysis/; classtype:trojan-activity; sid:43457; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Erebus variant outbound connection"; flow:to_server,established; file_data; urilen:1; content:"h="; depth:2; http_client_body; content:"&v="; within:3; distance:8; http_client_body; content:"&k="; within:3; distance:3; fast_pattern; http_client_body; content:"Expect|3A| 100-continue|0D 0A 0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips alert, policy security-ips alert, service http; reference:url,virustotal.com/en/file/0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f/analysis/; classtype:trojan-activity; sid:43351; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Andr.Adware.Judy malicious java file download attempt"; flow:established,to_client; file_data; content:"|7B 22 64 22 3A 7B 22 62 22 3A 22|"; content:"|22 2C 22 61 22 3A 30 7D|"; within:10; distance:12; content:"|22|download/upgrade/upgp/|22|"; content:"http"; content:".tar.gz"; within:70; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d2f9b0a1a057d32cfd794f021093dd11e438b6d1e31a96ee38637e1ab2cdeadb/analysis/; classtype:trojan-activity; sid:43293; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Andr.Adware.Judy malicious dex file download attempt"; flow:established,to_client; file_data; content:"cs.network.configs.Config"; fast_pattern:only; content:"|22|url"; content:".dex"; within:75; content:"|22|md5|22|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a2ddf8e497e6ef6c8c023d483eb8d21e9886bd4448986de5b8d817eb7d08ff4c/analysis/; classtype:trojan-activity; sid:43292; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia outbound connection"; flow:to_server,established; content:"/api/white_walkers/new"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2017/06/palestine-delphi.html; reference:url,virustotal.com/en/file/005dce6a8cec1d41513239517f1fae32bf2dbaba6bf6b4b8149c0510a889bf2e/analysis; classtype:trojan-activity; sid:43224; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia outbound connection"; flow:to_server,established; content:"/api/"; http_uri; content:"----"; depth:4; fast_pattern; http_client_body; content:"|0D 0A 0D 0A|Windows "; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2017/06/palestine-delphi.html; reference:url,virustotal.com/en/file/0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1/analysis/; classtype:trojan-activity; sid:43223; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Micropsia outbound connection"; flow:to_server,established; content:"Accept-Encoding: identity|0D 0A|"; fast_pattern:only; http_header; content:"User-Agent"; nocase; http_header; content:"+http://www.google.com/bot.html"; within:100; nocase; http_header; content:"----"; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2017/06/palestine-delphi.html; reference:url,virustotal.com/en/file/0180e2b601ae643e7adf1784c313dd2d10d114bd2b5692eb6e9c031a6e448ed1/analysis/; classtype:trojan-activity; sid:43222; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|1B 17 E9 E9 E9 E9|"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43194; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|18 17 E9 E9 E9 E9|"; fast_pattern:only; isdataat:!7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43193; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konus variant outbound connection detected"; flow:to_server,established; content:"/happytimes/connect.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/C5586CE98622BAF123A10E99498C64F341B6454244121157185946F96AABE163/analysis/; classtype:trojan-activity; sid:43190; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsnu variant outbound conection"; flow:to_server,established; content:"/p.ashx"; fast_pattern:only; http_uri; content:"e="; nocase; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/02dd736b4a08c2c3b36f62b74cd7d0d19255c0120c818f61669fcdcd140afbfc/analysis; classtype:trojan-activity; sid:43184; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Matsnu variant outbound conection"; flow:to_server,established; content:"/xdaovcny/index.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/02dd736b4a08c2c3b36f62b74cd7d0d19255c0120c818f61669fcdcd140afbfc/analysis; classtype:trojan-activity; sid:43183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 10.0|3B| WOW64)"; http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9843a7be6b313c2fb4093ca25639b6d92cc1e0bdacfcc6277ea61e635e220e1c/analysis/; classtype:trojan-activity; sid:43129; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kabob outbound connection"; flow:to_server,established; content:"@|E9 03 00 00 00 00 00 00 00 00 64|"; fast_pattern:only; http_client_body; pcre:"/\/\d{8}\/\w{4}\/[A-F0-9]{4}\/[A-F0-9]{4}\/[A-Z0-9\-_~]{12}\.[aj]sp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:43063; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gasonen variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| AutoIt|0D 0A|"; fast_pattern:only; http_header; content:!"Referer|3A|"; http_header; content:"Cache-Control: no-cache"; http_header; pcre:"/(textile|banner|logo)\x2E(png|jpg|gif)$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/31F00FDE356066B650AA9D4F234AD83B0EC03FE1ABFCD3038A32E7A0CD259DF2/analysis/; classtype:trojan-activity; sid:43049; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spesseo variant outbound connection"; flow:established, to_server; content:"User-Agent: NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header; content:"y6bdVFVIsvuYsgEClQfz8Peh"; depth:40; http_uri; content:!"Referrer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/intelligence/search/?query=9D81C402C4790C77500C270A5DAD7B59775BE001FAD4FB79B401AFFFE85EDFF6; classtype:trojan-activity; sid:42997; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Spesseo variant outbound connection"; flow:established, to_server; content:"User-Agent: NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header; content:"/time.php"; depth:9; http_uri; urilen:9; content:!"Referrer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/intelligence/search/?query=9D81C402C4790C77500C270A5DAD7B59775BE001FAD4FB79B401AFFFE85EDFF6; classtype:trojan-activity; sid:42996; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adylkuzz variant initial outbound connection"; flow:established,to_server; content:"User-Agent|3A| LuaSocket"; fast_pattern:only; http_header; content:"/report"; nocase; http_uri; content:"hasWanIP="; nocase; http_uri; content:"cpufreq="; nocase; http_uri; content:"mem="; nocase; http_uri; content:"m_procnum="; nocase; http_uri; content:"m_exists="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233/analysis/; classtype:trojan-activity; sid:42945; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.XAgent outbound connection"; flow:to_server,established; content:"(unknown version)"; http_header; content:"Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z0-9]{2,8}\x3d/Ui"; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html; reference:url,download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf; classtype:trojan-activity; sid:43825; rev:2;)
# alert tcp $HOME_NET 34324 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Biggluck variant inbound response"; flow:to_client,established; content:"Welcome!|0A 0D|# "; fast_pattern:only; dsize:12; metadata:impact_flag red; classtype:trojan-activity; sid:43899; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7080 (msg:"MALWARE-CNC Win.Malware.Emotet variant outbound connection"; flow:to_server,established; content:"/3MEGFV938DS21M9697282868BNSH73JD"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:43890; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/01092ea6b5eb749254cf61a58c7c8fe5f6700197643271202fe420ac7cc68d1f/detection; classtype:trojan-activity; sid:43972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kradod connection attempt"; flow:to_server,established; content:"User-Agent:|20|vb|20|wininet"; fast_pattern:only; http_header; content:"/app/linfo.asp"; http_uri; content:"?mid="; http_uri; content:"&ver="; http_uri; content:"&ud="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/es/file/109fce30219662725b42f1576071ae188e6d518414f25689ecbfbb1074573ee4/analysis/; classtype:trojan-activity; sid:43969; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Globeimposter outbound connection"; flow:to_server,established; content:"/counter.php?"; depth:13; http_uri; content:"nu="; http_uri; content:"fb="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b/analysis/; classtype:trojan-activity; sid:43950; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.GamKer variant outbound connection"; flow:to_server; urilen:22; content:".php"; fast_pattern:only; http_uri; content:"/"; depth:1; offset:9; http_uri; pcre:"/\x2f[a-f0-9]{8}\x2f[a-f0-9]{8}\.php$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/97288f770d1317d6cc4c624156b3baf101a8ac7d6fd3da92393db703baaf149b/detection; classtype:trojan-activity; sid:43930; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poogetad Variant connection attempt"; flow:to_server,established; content:"User-Agent:|20 20 20|MyApp/0.1"; fast_pattern:only; content:"CONNECT"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4063d08b84fdbb0d95cb78f22ebd39bf45207e868a9ca1b4c208df9aff8c0bed/analysis/; reference:url,virustotal.com/en/file/a3ff0ea9b4cb8ebbd9a64cc10af5a2ef243b30a9180a4a02163c87769a36a574/analysis/; reference:url,virustotal.com/en/file/e47b4b10d4bc3efc9d6b88cc071323eb27413995b4d4854bae342f7881ab7e21/analysis/; classtype:trojan-activity; sid:43929; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hippo variant outbound connection"; flow:to_server,established; content:"|11 76 90 09 00 09 00 00 00|"; depth:9; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:44011; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rortiem outbound connection"; flow:to_server,established; content:"If|2D|None|2D|Match|3A 20 22|"; fast_pattern:only; http_header; content:"/gettime.html?"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6c9d748484021b2b7ee9722695432f73d0f5f2b5d7c19ffcc2bccaafe5d040b5/analysis/; reference:url,virustotal.com/en/file/913b31a9e399a64a9f72eb3d2c301b6d159274af549c60702271ef636de375c2/analysis/; classtype:trojan-activity; sid:43985; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/pockemon/squirtle/functions.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43982; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/update/upfolder/updatefun.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43981; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected"; flow:to_server,established; content:"/JbhbUsfs"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:54.0) Gecko/20100101 Firefox/54.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/512738942e579a83f330e6ed8387158993f46126f4e3737e9db58a70fcafeea9/detection; classtype:trojan-activity; sid:44028; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected"; flow:to_server,established; content:"/y872ff2f"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:54.0) Gecko/20100101 Firefox/54.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/512738942e579a83f330e6ed8387158993f46126f4e3737e9db58a70fcafeea9/detection; classtype:trojan-activity; sid:44027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 2008 (msg:"MALWARE-CNC Win.Trojan.Hupigon Connection attempt"; flow:to_server,established; content:"LIST|0B|10000"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f19a35f4e9030c6971a2145dacd3f37ddbdf05e586800ef600e1d5936ff70e0f/analysis/; classtype:trojan-activity; sid:44042; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cerber variant outbound connection"; flow:to_server,established; content:"17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt"; http_uri; content:"_=15"; within:4; distance:1; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/56f41afc8f025597659f11f59b191e66bd6c6525313cf3c0356c40490722b7c5/detection; classtype:trojan-activity; sid:44177; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zurgop variant outbound beaconing connection"; flow:to_server,established; content:"|BC 6C|"; depth:2; http_client_body; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"Content-Length|3A| 63|0D 0A|"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/0885905c9997f003dfac42232a2f4b38b7f6a8773bdd6cdbc6386b28d1357109/; classtype:trojan-activity; sid:44171; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection"; flow:to_server,established; urilen:19; content:"/mxRqXF/arrival.jpg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e/detection; classtype:trojan-activity; sid:44222; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection"; flow:to_server,established; urilen:19; content:"/images/arrival.jpg"; fast_pattern:only; http_uri; content:"User-Agent|3A| curl/7.51.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e/detection; classtype:trojan-activity; sid:44221; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection"; flow:to_server,established; urilen:10; content:"/X8IOl.jpg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e/detection; classtype:trojan-activity; sid:44220; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tarayt outbound connection"; flow:to_server,established; content:"/etir"; fast_pattern:only; http_uri; content:"/etir HTTP"; content:!"Referer"; http_header; content:"DNT: 1"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E276142DD9AF0F064FF75AF17CA05A64E7944EC87B36F54B683B4E430744C242/analysis/; classtype:trojan-activity; sid:44212; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tarayt outbound connection"; flow:to_server,established; content:"/pixel/s2s.php?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E276142DD9AF0F064FF75AF17CA05A64E7944EC87B36F54B683B4E430744C242/analysis/; classtype:trojan-activity; sid:44211; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bullrat variant outbound connection"; flow:to_server,established; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2E 00|0"; fast_pattern:only; content:"w|00|w|00|w|00|u|00 2E 00|e|00|t|00|n|00|e|00|w|00|s|00 2E 00|c|00|o|00|m"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/d6849b89e87b550c9e28db10e56fb11da0631d3add2adfdb32ade71f94374cfd/analysis/; classtype:trojan-activity; sid:44210; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8001 (msg:"MALWARE-CNC Win.Trojan.Cyfshent variant outbound connection"; flow:to_server,established; content:"01095040804|00 00 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/50c0d041c61baac8924af7981cbe34aee909321fa6db7218a842544caa070f2a/analysis/; classtype:trojan-activity; sid:44190; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.FlatChestWare varint outbound connection"; flow:to_server,established; content:"/listen/listen.php?line1="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"Connection|3A| Keep-Alive"; http_header; pcre:"/ran\s+on\s+\d{1,2}\x2f\d{1,2}\x2f\d{4}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:44279; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CrystalAttack outbound file download attempt"; flow:to_server,established; content:"/filesok/443.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html; classtype:trojan-activity; sid:44278; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt"; flow:to_server,established; content:"/versionmaster/nova/load.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html; classtype:trojan-activity; sid:44277; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chthonic outbound file download attempt"; flow:to_server,established; content:"/ico/load.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html; classtype:trojan-activity; sid:44276; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ellell variant outbound connection"; flow:established,to_server; content:"/llll.html"; fast_pattern:only; http_uri; content:"search="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/A468A3B6E574626B26F459D42AF0D90D39E98D28787D19AAEAD94AB438800043/analysis/; classtype:trojan-activity; sid:44316; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Totbrick variant inbound connection attempt"; flow:to_client, established; file_data; content:"ok|0A|"; depth:3; pcre:"/ok\n\d+\n(\d+\x7C){5}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/FD6F8C929DB5F1CE1721CB3CE6F9F9AB6DAD021226BD37DD65F7F2D66215EE1E/analysis/; classtype:trojan-activity; sid:44314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Totbrick variant outbound connection"; flow:to_server, established; content:"Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only; http_header; content:!"Referer"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:"/admin.php"; http_uri; content:"1="; http_uri; content:"v="; http_uri; content:"q="; http_uri; content:"b="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/FD6F8C929DB5F1CE1721CB3CE6F9F9AB6DAD021226BD37DD65F7F2D66215EE1E/analysis/; classtype:trojan-activity; sid:44313; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Razy variant outbound connection"; flow:to_server,established; content:"DefaultForm."; http_uri; content:"pfr="; within:150; fast_pattern; http_uri; content:"User-Agent: Go-http-client"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a278256fbf2f061cfded7fdd58feded6765fade730374c508adad89282f67d77/analysis/; classtype:trojan-activity; sid:44307; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Paradise ransomware inbound executable"; flow:to_server,established; file_data; content:"F|00|i|00|l|00|e|00|s|00|.|00|t|00|x|00|t|00|"; content:"F|00|a|00|i|00|l|00|e|00|d|00|.|00|t|00|x|00|t|00|"; content:"/|00|#|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00| |00|M|00|Y|00| |00|F|00|I|00|L|00|E|00|S|00|#|00|.|00|t|00|x|00|t|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/82cfb70e00f357065b68861e71f04b0af33d77fb63e72997b81c3c0402bf5c80/analysis/; classtype:trojan-activity; sid:44367; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Paradise ransomware inbound executable"; flow:to_client,established; file_data; content:"F|00|i|00|l|00|e|00|s|00|.|00|t|00|x|00|t|00|"; content:"F|00|a|00|i|00|l|00|e|00|d|00|.|00|t|00|x|00|t|00|"; content:"/|00|#|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00| |00|M|00|Y|00| |00|F|00|I|00|L|00|E|00|S|00|#|00|.|00|t|00|x|00|t|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/82cfb70e00f357065b68861e71f04b0af33d77fb63e72997b81c3c0402bf5c80/analysis/; classtype:trojan-activity; sid:44366; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Paradise ransomware outbound post"; flow:to_server,established; content:"/api/Encrypted.php"; fast_pattern:only; http_uri; content:"computer_name="; http_client_body; content:"decryption_info="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/82cfb70e00f357065b68861e71f04b0af33d77fb63e72997b81c3c0402bf5c80/analysis/; classtype:trojan-activity; sid:44365; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/ser825/"; depth:8; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44415; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/not46/"; depth:7; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44414; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/kas2/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44413; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/ser829/"; depth:8; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44412; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/kas3/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44411; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/ser831/"; depth:8; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44410; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/kas8/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44409; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/kas7/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44408; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/ser904/"; depth:8; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44407; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/worm/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44406; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/tt0002/"; depth:8; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44405; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"GET /mac1/"; fast_pattern:only; content:"/mac1/"; content:"_"; within:15; content:"."; within:10; content:"/"; within:33; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44404; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trickbot malicious communication attempt"; flow:established,to_server; content:"/kas5/"; depth:6; http_uri; content:"_"; within:15; http_uri; content:"."; within:10; http_uri; content:"/"; within:33; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44403; rev:2;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 DC 5E AE E6 3E EC 78 EC|"; content:"Alaska"; content:"John_Alaska@gmail.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44402; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 92 93 45 3A 42 8B 15 4C|"; fast_pattern:only; content:"London"; content:"example.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,malware-traffic-analysis.net/2017/08/12/index.html; classtype:trojan-activity; sid:44401; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"f2tee4"; content:"rvgvtfdf"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44400; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"3t2t3rgeg"; content:"fg2eq34df"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44399; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.KediRAT outbound connection"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lions-rugby-tour|02|co|02|uk"; within:200; distance:32; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/file/5dd32f23fde8798b2b34ce259983238f494a3e01613333128bdebc9aebc77f44/analysis/; classtype:trojan-activity; sid:44396; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konus variant outbound connection detected"; flow:to_server,established; content:"/lampi/connect.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/C5586CE98622BAF123A10E99498C64F341B6454244121157185946F96AABE163/analysis/; classtype:trojan-activity; sid:44393; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konus variant outbound connection detected"; flow:to_server,established; content:"/noix/connect.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/C5586CE98622BAF123A10E99498C64F341B6454244121157185946F96AABE163/analysis/; classtype:trojan-activity; sid:44392; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Konus variant outbound connection detected"; flow:to_server,established; content:"/kronos/connect.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/C5586CE98622BAF123A10E99498C64F341B6454244121157185946F96AABE163/analysis/; classtype:trojan-activity; sid:44391; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbount connection detected"; flow:to_server,established; content:"/redirect/CFGUpdate"; fast_pattern:only; http_uri; content:"number="; nocase; http_uri; content:"checksum="; nocase; http_uri; content:"cid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/B4173046C5443AB642479A36BF08B99B4935CBFA852C47105C845EB76E8E64DF/analysis/; classtype:trojan-activity; sid:44450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Popureb variant outbound connection detected"; flow:to_server,established; content:"/do.php"; nocase; http_uri; content:"userid="; nocase; http_uri; content:"time="; nocase; http_uri; content:"msg="; nocase; http_uri; content:"pauid="; fast_pattern:only; http_uri; content:"checkId="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/07345029FAD7F00878B5EBF36BCB6F2C252F4F93DE417BB7E8314A0971198865/analysis/; classtype:trojan-activity; sid:44443; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected"; flow:to_server,established; content:"/upo5den/control.html"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/72AE7AE357F036834A9265E547B27C8598392E493FBDFDD89A34712063D41BCD/analysis/; classtype:trojan-activity; sid:44439; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Poison variant outbound connection detected"; flow:to_server,established; content:"/pivyconfig/pi.html"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/72AE7AE357F036834A9265E547B27C8598392E493FBDFDD89A34712063D41BCD/analysis/; classtype:trojan-activity; sid:44438; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-includes"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44470; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-admin"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44469; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; pcre:"/^session(id)?=[a-z0-9\x2b\x2f]{27}=$/Cmi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:44564; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"CF-RAY: "; http_header; content:"=|0D 0A|"; within:3; distance:27; http_header; pcre:"/CF-RAY: [a-z0-9]{27}=\x0d\x0a/iH"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:44563; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"/login/process.php HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:44562; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC PowerShell Empire variant outbound connection"; flow:to_server,established; content:"/admin/get.php HTTP/1.1|0D 0A|Cookie: SESSION"; fast_pattern:only; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:44561; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Word.Trojan.Emotet obfuscated powershell"; flow:to_server,established; file_data; flowbits:isset,file.doc|file.xls; content:"powershell"; fast_pattern:only; pcre:"/powershell\s*?-e\s*?[A-Za-z0-9+\/=]{20}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/02ec7ded664c7638625dd3681e0332254cda9a288bc6e3a9a70d09f0309fa5b2/analysis/; reference:url,virustotal.com/en/file/e9cf17cb12e738e489164e93c1f3015cb245d12839bedb1a073046f519aad2be/analysis/; classtype:trojan-activity; sid:44560; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Word.Trojan.Emotet obfuscated powershell"; flow:to_client,established; file_data; flowbits:isset,file.doc|file.xls; content:"powershell"; fast_pattern:only; pcre:"/powershell\s*?-e\s*?[A-Za-z0-9+\/=]{20}/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/02ec7ded664c7638625dd3681e0332254cda9a288bc6e3a9a70d09f0309fa5b2/analysis/; reference:url,virustotal.com/en/file/e9cf17cb12e738e489164e93c1f3015cb245d12839bedb1a073046f519aad2be/analysis/; classtype:trojan-activity; sid:44559; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6280 (msg:"MALWARE-CNC Andr.Trojan.Congur variant outbound connection detected"; flow:to_server,established; content:"/collect"; fast_pattern:only; content:"ts="; nocase; content:"ver="; nocase; content:"diff="; nocase; content:"hash="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/cd050a2868646f231c544c566ba3cc34538e63a5125a2c7ad1f4bbd41d5e8cdd/analysis/; classtype:trojan-activity; sid:44554; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.DNSMessenger outbound connection"; flow:to_server; content:"|01 00 00 01 00 00 00 00 00 00 0A|"; depth:11; offset:2; content:"|05|stage"; within:6; distance:10; nocase; content:"|00 10 00 01|"; within:45; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:44595; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"My Company Name LTD."; content:"domain.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/00fa65c8fced0abfab3f544801014a349f7d960819d8d79c47abe090bd75ccfc; classtype:trojan-activity; sid:44592; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"Let's Encrypt"; content:"gloverkentok.us"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dada17782ddd9ee2c232; classtype:trojan-activity; sid:44591; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/gate.php"; http_uri; content:"Accept: |2A 2F 2A|"; nocase; http_header; content:"Content-Encoding:"; http_header; content:"binary"; within:10; nocase; http_header; content:"User-Agent:"; http_header; content:".NET CLR 3.0.04506.648"; within:120; fast_pattern; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9843a7be6b313c2fb4093ca25639b6d92cc1e0bdacfcc6277ea61e635e220e1c/analysis/1425053730/; classtype:trojan-activity; sid:44570; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"Accept: |2A 2F 2A|"; nocase; content:"Content-Encoding:"; content:"binary"; within:10; nocase; content:"User-Agent:"; content:"Windows 98"; within:50; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9843a7be6b313c2fb4093ca25639b6d92cc1e0bdacfcc6277ea61e635e220e1c/analysis/1425053730/; classtype:trojan-activity; sid:44569; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7878 (msg:"MALWARE-CNC Android Red Alert Trojan outbound connection"; flow:to_server,established; content:"POST /sy HTTP/1.1|0D 0A|"; depth:19; content:"|0D 0A 0D 0A|eyJ"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9446a9a13848906ca3040e399fd84bfebf21c40825f7d52a63c7ccccec4659b7/analysis/; classtype:trojan-activity; sid:44622; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7878 (msg:"MALWARE-CNC Android Red Alert Trojan outbound connection"; flow:to_server,established; content:"POST /ssl HTTP/1.1|0D 0A|"; depth:20; content:"|0D 0A 0D 0A|eyJ"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e47f075b9d0b2eb840b8bbd49017ffb743f9973c274ec04b4db209af73300d6/analysis/; classtype:trojan-activity; sid:44621; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7878 (msg:"MALWARE-CNC Android Red Alert Trojan outbound connection"; flow:to_server,established; content:"POST /stbi HTTP/1.1|0D 0A|"; depth:21; content:"|0D 0A 0D 0A|eyJ"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e47f075b9d0b2eb840b8bbd49017ffb743f9973c274ec04b4db209af73300d6/analysis/; classtype:trojan-activity; sid:44620; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7878 (msg:"MALWARE-CNC Android Red Alert Trojan outbound connection"; flow:to_server,established; content:"POST /sban HTTP/1.1|0D 0A|"; depth:21; content:"|0D 0A 0D 0A|eyJ"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3e47f075b9d0b2eb840b8bbd49017ffb743f9973c274ec04b4db209af73300d6/analysis/; classtype:trojan-activity; sid:44619; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/images/galery/post/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/8ca67f6ca5953a385504b23b859d40f76887e8778c3c69e9e978432874cddc26/detection; classtype:trojan-activity; sid:44618; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/7309/"; depth:6; fast_pattern; http_uri; content:".zip"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/8ca67f6ca5953a385504b23b859d40f76887e8778c3c69e9e978432874cddc26/detection; classtype:trojan-activity; sid:44617; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection"; flow:to_server,established; content:"/wp-admin/user/"; fast_pattern:only; http_uri; content:".zip"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/8ca67f6ca5953a385504b23b859d40f76887e8778c3c69e9e978432874cddc26/detection; classtype:trojan-activity; sid:44616; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected"; flow:to_server,established; content:"/JGHldb03m"; fast_pattern:only; http_uri; content:"UA-CPU: AMD64"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432/detection; classtype:trojan-activity; sid:44611; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky dropper variant outbound request detected"; flow:to_server,established; content:"/IUGiwe8"; fast_pattern:only; http_uri; content:"UA-CPU: AMD64"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/1b80b24b7195960a74cc10dbbc9685ae229443a80d11c7fe7a9c8fdd4e59840d/detection; classtype:trojan-activity; sid:44610; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Quimonk variant outbound connection detected"; flow:to_server,established; content:"/api/getlist"; nocase; http_uri; content:"js={"; depth:4; nocase; http_client_body; content:"|22|mac|22 3A|"; nocase; http_client_body; content:"|22|rgn|22 3A|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/775c7bd9e820c4dfd0fabdfeade2de901414bd46d2691ea5020a818f6a42eb83/analysis/; classtype:trojan-activity; sid:44639; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wraut variant outbound connection"; flow:to_server,established; content:"/z/lib/"; fast_pattern:only; http_uri; content:".dll.c"; nocase; http_uri; content:"Cache-Control:"; nocase; http_header; content:"no-cache|0D 0A|"; within:15; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/653b79aa9e92a7a2b8faa7b36c1541c045e12d583c6f1f71bd5c4190255e6d15/analysis/1425053730/; classtype:trojan-activity; sid:44659; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC IoT Reaper botnet CNC"; flow:to_server,established; content:"/api/api.php"; http_uri; content:"macaddress="; http_client_body; content:"&device=OpenWRT"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5e3334615651b1201f0ae41aa222deae6a10e0933d9b2bbabe7ce8b2e3752271/detection; classtype:trojan-activity; sid:44656; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC IoT Reaper botnet dropper"; flow:to_server,established; urilen:3; content:"/sa"; fast_pattern:only; http_uri; content:"Host"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/e2ed207461032f4bf96cfd36e54cd883186592860056bd96df94e73f5b7db035/detection; classtype:trojan-activity; sid:44655; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC IoT Reaper botnet CNC"; flow:to_server,established; content:"/api/api.php"; http_uri; content:"&device=TP-Link775&type=armv5le&version="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/de242aefb9c8a8f10a7a3313265032172a6ecff69b01dc9ca88fd7779090285a/detection; classtype:trojan-activity; sid:44654; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC IoT Reaper botnet"; flow:to_server,established; content:"/hedwig.cgi"; fast_pattern:only; http_uri; content:"../../../"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b463ca6c3ec7fa19cd318afdd2fa2365fa9e947771c21c4bd6a3bc2120ba7f28/detection; classtype:trojan-activity; sid:44653; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; content:"/QualityCheck/ni6.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dea4247e021eeeb1347ff269a357dee77e8ac1837383b0ef37fb123339639a1/analysis/; classtype:trojan-activity; sid:44652; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC SquirrelMail directory traversal attempt"; flow:to_server,established; content:"/src/redirect.php?plugins[]="; fast_pattern:only; http_uri; pcre:"/\x2fsrc\x2fredirect.php\x3fplugins\x5b\x5d=((?!^--).)*?\x2e\x2e[\x2f\x5c]/Usim"; metadata:service http; reference:cve,2006-2842; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.securityfocus.com/bid/18231/info; classtype:web-application-attack; sid:44697; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound connection"; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:44689; rev:2;)
alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"MALWARE-CNC Linux.Trojan.IoTReaper_Botnet telnet connection attempt"; flow:established,to_client; content:"server get connect with "; depth:24; content:"."; within:4; content:"."; within:4; content:"."; within:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service telnet; classtype:trojan-activity; sid:44681; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nemucod outbound connection"; flow:to_server,established; content:"/f78aqnQy/connect.php"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:44677; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Retadup variant outbound connection"; flow:established,to_client; content:"|3A 3A|6232743866487838"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/c69811d8574fcc59e37fe2cbf0a31be4956ab81c3279bfb1351ff6da3417b4a7/detection; classtype:trojan-activity; sid:44791; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nymaim variant outbound connection"; flow:to_server,established; content:"/vixduw/index.php"; fast_pattern:only; http_uri; content:"Host: carfax.com"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/6b905735d180947cabfeb54885dffc9e171b5001d103f395b59966de000ec4f8/; classtype:trojan-activity; sid:44789; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nymaim variant outbound connection"; flow:to_server,established; content:"/omcqeugwa/index.php"; fast_pattern:only; http_uri; content:"Host: carfax.com"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/6b905735d180947cabfeb54885dffc9e171b5001d103f395b59966de000ec4f8/; classtype:trojan-activity; sid:44788; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Godzilla outbound connection"; flow:to_server,established; content:"/gz/stat.php"; fast_pattern:only; http_uri; content:"g="; http_uri; content:"k="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/edeea5219eb15f510480f3d7103ef48e6f8443cf470a55a0f98727ee9202f8b0/; classtype:trojan-activity; sid:44787; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky outbound callout"; flow:to_server,established; content:"/8y6ghhfg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4074ff22a842725dd1f5ee40248e3d8acd4e912f8cf82edfe763713e49581d5b/analysis/; reference:url,virustotal.com/en/file/4df150f7e3f8ca7cbbccf6df90dd47cab0ab89b8a3dda1e91102a36364604ee6/analysis/; reference:url,virustotal.com/en/file/6c4b647c7c408bd78a8454d8a137139fc5f0456d6d606146030fe6f0e61c7942/analysis/; reference:url,virustotal.com/en/file/ec28311fd20e719ad532bd829bfa65440e012c7db5d0fb0fefb80ea7e06e9a6b/analysis/; reference:url,virustotal.com/en/file/ff0655d51206a6393b9e8d2a6db0c5cd68d5eaf16d21a2e88b7202e99185b405/analysis/; classtype:trojan-activity; sid:44782; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky outbound callout"; flow:to_server,established; content:"/iugftrs2"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/057b9e96272f96685485a720ce962e093fd7d57360b312c114cc44096ec87695/analysis/; reference:url,virustotal.com/en/file/6853fae2acd6ed56c961d69301c907c01d3d2da6a7989b8b4a6eeb900067f748/analysis/; reference:url,virustotal.com/en/file/7744255c6d2ec9d1269867bb6804c663e4b0608056e9f5a9cbdfdc70d9b2d40a/analysis/; reference:url,virustotal.com/en/file/a51797f0078315e11a23b02c910a2161fc59e2dc85e5ab5c659075a2c9d8bf1d/analysis/; reference:url,virustotal.com/en/file/c4a5bb496388a17c963d856dcf0d194ce3c6f96d68199c6b3144ad3fa13ed5ce/analysis/; classtype:trojan-activity; sid:44781; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky outbound callout"; flow:to_server,established; content:"/jhbfvg7"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4074ff22a842725dd1f5ee40248e3d8acd4e912f8cf82edfe763713e49581d5b/analysis/; reference:url,virustotal.com/en/file/4df150f7e3f8ca7cbbccf6df90dd47cab0ab89b8a3dda1e91102a36364604ee6/analysis/; reference:url,virustotal.com/en/file/6c4b647c7c408bd78a8454d8a137139fc5f0456d6d606146030fe6f0e61c7942/analysis/; reference:url,virustotal.com/en/file/ec28311fd20e719ad532bd829bfa65440e012c7db5d0fb0fefb80ea7e06e9a6b/analysis/; reference:url,virustotal.com/en/file/ff0655d51206a6393b9e8d2a6db0c5cd68d5eaf16d21a2e88b7202e99185b405/analysis/; classtype:trojan-activity; sid:44780; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?t0="; fast_pattern:only; http_uri; content:"t1="; http_uri; content:"t2="; http_uri; content:"t3="; http_uri; content:"t6="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/research/bronze-butler-targets-japanese-businesses; classtype:trojan-activity; sid:44779; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?h="; fast_pattern:only; http_uri; content:"o="; http_uri; content:"w="; http_uri; content:"a="; http_uri; content:"y="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/research/bronze-butler-targets-japanese-businesses; classtype:trojan-activity; sid:44778; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?ps0="; fast_pattern:only; http_uri; content:"ps1="; http_uri; content:"ps2="; http_uri; content:"ps3="; http_uri; content:"ps6="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/research/bronze-butler-targets-japanese-businesses; classtype:trojan-activity; sid:44777; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?item0="; fast_pattern:only; http_uri; content:"item1="; http_uri; content:"item2="; http_uri; content:"item3="; http_uri; content:"item6="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/research/bronze-butler-targets-japanese-businesses; classtype:trojan-activity; sid:44776; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?idcard0="; fast_pattern:only; http_uri; content:"idcard1="; http_uri; content:"idcard2="; http_uri; content:"idcard3="; http_uri; content:"idcard6="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.secureworks.com/research/bronze-butler-targets-japanese-businesses; classtype:trojan-activity; sid:44775; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.xxmm variant initial outbound connection detected"; flow:to_server,established; content:"php?id0="; fast_pattern:only; http_uri; content:"id1="; http_uri; content:"id2="; http_uri; content:"id3="; http_uri; content:"id6="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/18e896a7547aacb33aa3941ab1b61659ed099c0f6fbb924068f81b4289b05f12/analysis/; classtype:trojan-activity; sid:44774; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Silence monitoring module download"; flow:to_client,established; file_data; content:"pipe|5C|{73F7975A-A4A2-4AB6-9121-AECAE68AABBB}"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27/analysis/; classtype:attempted-admin; sid:44771; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Silence cnc module download"; flow:to_client,established; file_data; content:"h|00|t|00|r|00|j|00|y|00|y|00|t|00|r|00|n"; fast_pattern:only; content:"h|00|t|00|c|00|n|00|f|00|h|00|n"; content:"y|00|t|00|n|00|p|00|f|00|l|00|f|00|y|00|b|00|q"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/9fcc8c9b4eecc2cd8df621c924bbff40a0178ddbd6a6b5ced73ada2ee81854bb/analysis/; classtype:attempted-admin; sid:44770; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Silence inbound download"; flow:to_client,established; file_data; content:"|C6 45 E8 52 C6 45 E9 74 C6 45 EA 70 C6 45 EB 45 C6 45 EC 6E C6 45 ED 63 C6 45 EE 6F C6 45 EF 64 C6 45 F0 65 C6 45 F1 50 C6 45 F2 6F C6 45 F3 69 C6 45 F4 6E C6 45 F5 74 C6 45 F6 65 C6 45 F7 72 C6 45 F8 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/f24b160e9e9d02b8e31524b8a0b30e7cdc66dd085e24e4c58240e4c4b6ec0ac2/analysis/; classtype:attempted-admin; sid:44769; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Silence outbound request"; flow:to_server,established; content:"/get.php?name="; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Cookie"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/f24b160e9e9d02b8e31524b8a0b30e7cdc66dd085e24e4c58240e4c4b6ec0ac2/analysis/; classtype:attempted-admin; sid:44768; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"%D0%8BTl%DC"; depth:11; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack; classtype:trojan-activity; sid:44763; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"User-Agent|3A|"; http_header; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; distance:0; fast_pattern; http_header; pcre:"/Win64\x3B\sx64\x29\x3B\s[0-9]{16}\w{16}\x0D\x0A/iH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:44762; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Reyptson ransomware download"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"Reyptson"; fast_pattern:only; content:"rthaergaerhaerg"; content:"tsrtjsrtghsrth"; content:"srtysrtusrtyg"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41/analysis/; classtype:trojan-activity; sid:44761; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Reyptson ransomware download"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"Reyptson"; fast_pattern:only; content:"rthaergaerhaerg"; content:"tsrtjsrtghsrth"; content:"srtysrtusrtyg"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41/analysis/; classtype:trojan-activity; sid:44760; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Stimilina variant outbound connection detected"; flow:to_server,established; content:"VWGRTT"; depth:6; fast_pattern; http_client_body; content:"/gate.php"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/B58493C36B6ABA5B03D2D266ABA3B07A7E91090C77E5EC2464B02E93D21A4DB9/analysis/; classtype:trojan-activity; sid:44753; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0D|xmponmzmxkxkh|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44807; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0E|techniciantext|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44806; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0C|operatingbox|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44805; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|07|paniesx|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44804; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|08|dnsgogle|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44803; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0F|nylalobghyhirgh|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44802; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0B|tczafklirkl|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44801; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0B|ribotqtonut|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44800; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|06|notped|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44799; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0D|jkvmdmjyfcvkf|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44798; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC Win.Trojan.Shadowpad DNS TXT encrypted outbound connection"; flow:to_server; dsize:>80; byte_test:1,!&,0xF8,2; content:"|0F|bafyvoruzgjitwr|03|com|00 00 10|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,virustotal.com/en/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/; classtype:trojan-activity; sid:44797; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Malicious VBA Dropper outbound connection detected"; flow:to_server,established; content:"/news/t.php?"; http_uri; content:"thread="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; classtype:trojan-activity; sid:44876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Php.Dropper.Mayhem variant outbound connection"; flow:established,to_server; content:"R|2C|20130826|2C|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/b3cc1aa3259cd934f56937e6371f270c23edf96d2c0801728b0379dd07a0a035/detection; classtype:trojan-activity; sid:44975; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound connection"; flow:to_server,established; content:"/domain/apple-pie.in"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/54a349e84d2a27b46c549f553c975d727d376e9f8428eb9bae6c01a980e7d904/analysis/; classtype:trojan-activity; sid:44973; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound connection"; flow:to_server,established; content:"/domain/arthur.niria.biz"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/54a349e84d2a27b46c549f553c975d727d376e9f8428eb9bae6c01a980e7d904/analysis/; classtype:trojan-activity; sid:44972; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.FallChill variant outbound connection"; flow:to_server,established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|04 88 4D 76|"; within:4; distance:4; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6/analysis/; classtype:trojan-activity; sid:44946; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.FallChill variant outbound connection"; flow:to_server,established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|B2 63 70 7B|"; within:4; distance:4; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6/analysis/; classtype:trojan-activity; sid:44945; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.FallChill variant outbound connection"; flow:to_server,established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|B0 63 70 7B|"; within:4; distance:4; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6/analysis/; classtype:trojan-activity; sid:44944; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.FallChill variant outbound connection"; flow:to_server,established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|06 88 4D 76|"; within:4; distance:4; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6/analysis/; classtype:trojan-activity; sid:44943; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"MALWARE-CNC Osx.Trojan.Fruitfly variant outbound connection detected"; flow:to_server,established; content:"|01 77 04 00 00|"; depth:5; content:"|00 00 00|"; within:3; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/#/file/ce07d208a2d89b4e0134f5282d9df580960d5c81412965a6d1a0786b27e7f044/detection; classtype:trojan-activity; sid:44911; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected"; flow:to_client,established; file_data; content:"9[6we7w|2F|,+w&8buu"; content:"Sr&w09."; distance:0; content:".7,rz|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cb2a7647f12d858ed1739ddd1c4f257a0c4a5d0bdc3b303b4f1f663e56c8c90e/detection; classtype:trojan-activity; sid:44899; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CoinMiner outbound connection"; flow:to_server,established; urilen:10; content:"/text.html"; http_uri; content:"User-Agent|3A| NSIS_Inetc |28|Mozilla|29|"; http_header; content:!"Cookie"; nocase; http_header; content:!"Content-Length"; nocase; http_header; content:!"Content-Type"; nocase; http_header; content:!"Referer"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cb2a7647f12d858ed1739ddd1c4f257a0c4a5d0bdc3b303b4f1f663e56c8c90e/detection; classtype:trojan-activity; sid:44898; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CoinMiner outbound connection"; flow:to_server,established; urilen:10; content:"/test.html"; http_uri; content:"User-Agent|3A| NSIS_Inetc |28|Mozilla|29|"; http_header; content:!"Cookie"; nocase; http_header; content:!"Content-Length"; nocase; http_header; content:!"Content-Type"; nocase; http_header; content:!"Referer"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cb2a7647f12d858ed1739ddd1c4f257a0c4a5d0bdc3b303b4f1f663e56c8c90e/detection; classtype:trojan-activity; sid:44897; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CoinMiner outbound connection"; flow:to_server,established; urilen:10; content:"/stat.html"; http_uri; content:"User-Agent|3A| NSIS_Inetc |28|Mozilla|29|"; http_header; content:!"Cookie"; nocase; http_header; content:!"Content-Length"; nocase; http_header; content:!"Content-Type"; nocase; http_header; content:!"Referer"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cb2a7647f12d858ed1739ddd1c4f257a0c4a5d0bdc3b303b4f1f663e56c8c90e/detection; classtype:trojan-activity; sid:44896; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CoinMiner inbound connection detected"; flow:to_client,established; file_data; content:"<BODY>|0D 0A|<IMG|0D|"; content:"50er&w9eq|5B 7B 22|x0|5C|x|2F 5C|D9t.@9756|5C|IMGiijnr"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cb2a7647f12d858ed1739ddd1c4f257a0c4a5d0bdc3b303b4f1f663e56c8c90e/detection; classtype:trojan-activity; sid:44895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [6660:6669,7000] (msg:"MALWARE-CNC Legend irc bot cnc attempt"; flow:to_server,established; content:"PRIVMSG |23|"; content:":!legend"; within:220; metadata:policy balanced-ips alert, policy security-ips drop, service irc; classtype:trojan-activity; sid:44998; rev:1;)
alert tcp $EXTERNAL_NET [6660:6669,7000] -> $HOME_NET any (msg:"MALWARE-CNC Legend irc bot cnc attempt"; flow:to_client,established; content:"PRIVMSG |23|"; content:":!legend"; within:220; metadata:policy balanced-ips alert, policy security-ips drop, service irc; classtype:trojan-activity; sid:44997; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45065; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45064; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45063; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45062; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedId outbound connection"; flow:to_server,established; content:"/forum/viewtopic.php?a="; fast_pattern:only; http_uri; content:"Connection: Close"; nocase; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"User-Agent:"; http_header; content:"&b="; depth:25; offset:24; http_uri; content:"&d="; within:3; distance:18; http_uri; content:"&e="; within:11; distance:1; http_uri; pcre:"/\x2fforum\x2fviewtopic.php\x3fa=[0-9]{1,2}&b=[0-9A-F]{18}&d=[0-9]{1,8}&e=/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013/detection; classtype:trojan-activity; sid:45050; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3380 (msg:"MALWARE-CNC Win.Malware.Recam variant outbound connection"; flow:to_server,established; content:"|41 00 00 00 83|"; depth:5; dsize:68<>69; metadata:impact_flag red, policy security-ips drop; reference:url,virustotal.com/en/file/99371d8da86e964cc52bd719fd85f1f0015e4c60a9705747bb9b8ac52fd29b4a/analysis/; classtype:trojan-activity; sid:45104; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Syscon variant outbound connection"; flow:established,to_server; content:"-yT/XXNKKKK"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,virustotal.com/en/file/f4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e/analysis/; classtype:trojan-activity; sid:45100; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Syscon variant inbound connection"; flow:established,to_client; content:"|29|.txt|0D 0A|-rw-r--r--"; fast_pattern:only; pcre:"/\(\d{2}-\d{2}\s\d{2}-\d{2}-\d{2}\)\.txt/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data; reference:url,virustotal.com/en/file/f4987d127320cb5bfb8f49fc26435e01312bdd35a4e5e60db13546046584bd4e/analysis/; classtype:trojan-activity; sid:45099; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.SnatchLoader variant outbound connection"; flow:to_server,established; content:"/css/order.php"; http_uri; urilen:14; content:"OI6XFe"; depth:6; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7d75a7a63b7a28399c89f3ff5def5af61409350ab5018c31d1518febd44b532b/analysis/; classtype:trojan-activity; sid:45098; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Downloader.SnatchLoader variant inbound connection"; flow:to_client,established; file_data; content:"Gb6la57gh7"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7d75a7a63b7a28399c89f3ff5def5af61409350ab5018c31d1518febd44b532b/analysis/; classtype:trojan-activity; sid:45097; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Gibon variant inbound connection"; flow:established,to_client; content:"message:LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98/analysis/; classtype:trojan-activity; sid:45096; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Gibon variant outbound connection"; flow:established,to_server; content:"User-Agent: GIBON|0D 0A|"; fast_pattern:only; http_header; content:!"Host: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/30b5c4609eadafc1b4f97b906a4928a47231b525d6d5c9028c873c4421bf6f98/analysis/; classtype:trojan-activity; sid:45095; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"/insert/index?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"hst="; http_uri; content:"ttype="; http_uri; content:"state="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45092; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"username=MD5Sum"; fast_pattern:only; http_client_body; content:"password=MD5Sum"; http_client_body; content:"button=Login"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"public/Check_Exist.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45090; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Catch-All malicious Chrome extension dropper outbound connection"; flow:to_server,established; urilen:15; content:"/md"; depth:3; http_uri; pcre:"/\/md[0-9]{8}\.[a-z]{3}/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/90750c7b57a3de333f4ed5d805522e3f909f2e16e7fd5d1e68b965d4c57be0a6/analysis/; classtype:trojan-activity; sid:45114; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"MALWARE-CNC Win.Trojan.FileCryptor variant outbound connection"; flow:to_server; content:"501000"; depth:6; offset:17; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/648f4e50848a55deb1c51fa8d82674bc7dbf3c630c6b6956c015258157736389/analysis/; classtype:trojan-activity; sid:45194; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nautilus outbound call"; flow:to_server,established; content:"/OWA-AUTODISCOVER-EWS"; fast_pattern:only; http_uri; content:"Referer|3A|"; http_header; content:"bing.com"; within:30; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45221; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.VEye2 remote access tool download"; flow:to_server,established; file_data; content:"|3B B0 31 46 FA 72 24 20 DB 3B D0 1B 7E 75 BB 11 30 2C 9E C3 1E 3A 85 50 42 6A 62 9B EC EB CD F9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/65878c810cb339da226ad47528073307396697ad4265c7d19716677c9ed10505/analysis/; classtype:trojan-activity; sid:45209; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.VEye2 remote access tool download"; flow:to_client,established; file_data; content:"|3B B0 31 46 FA 72 24 20 DB 3B D0 1B 7E 75 BB 11 30 2C 9E C3 1E 3A 85 50 42 6A 62 9B EC EB CD F9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/65878c810cb339da226ad47528073307396697ad4265c7d19716677c9ed10505/analysis/; classtype:trojan-activity; sid:45208; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Spider variant download attempt detected"; flow:to_server,established; content:"/javascript-enc-"; fast_pattern:only; http_uri; pcre:"/javascript-enc-\d{1,2}-\d{1,2}-\d{1,2}\.js/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/; classtype:trojan-activity; sid:45252; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Spider variant download attempt detected"; flow:to_server,established; content:"/javascript-dec-"; fast_pattern:only; http_uri; pcre:"/javascript-dec-\d{1,2}-\d{1,2}-\d{1,2}\.js/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/; classtype:trojan-activity; sid:45251; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Freenki variant outbound connection"; flow:to_server,established; urilen:29; content:"/btob_asiana/udel_confirm.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df/analysis/; classtype:trojan-activity; sid:45239; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CactusTorch download attempt detected"; flow:to_client,established; file_data; content:"base64ToStream"; fast_pattern:only; content:"ActiveXObject"; content:"DynamicInvoke"; content:"ToArray"; within:50; content:"CreateInstance"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/0bbc1b5ba8075996a57fde4d9455688fb38e6bf90eb47321e98030aa17b6e8a5/detection; classtype:attempted-admin; sid:45232; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DDEDownloader variant outbound connection detected"; flow:to_server,established; content:"/cr/dd/a.js"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/0bbc1b5ba8075996a57fde4d9455688fb38e6bf90eb47321e98030aa17b6e8a5/detection; classtype:trojan-activity; sid:45231; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1502 (msg:"MALWARE-CNC Win.Backdoor.Triton Triton ICS malware upload attempt"; flow:to_server; content:"|06 00 48 FF FF 60 38 02 00 00 44 D0 FF 21 94 2C 00 E1 93 78 0B 3F 7C 08 00 7F 90 08 00 9F 80 13|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware; classtype:trojan-activity; sid:45260; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC PowerShell Empire HTTP listener response"; flow:to_client,established; content:"Content-Length: 233|0D 0A|"; fast_pattern:only; http_header; content:"Expires: 0|0D 0A|"; nocase; http_header; content:"Cache-Control: no-cache, no-store, must-revalidate|0D 0A|"; nocase; http_header; content:"Pragma: no-cache|0D 0A|"; nocase; http_header; content:"Not Found"; nocase; http_stat_msg; content:!"Set-Cookie: "; nocase; http_header; content:!"|0D 0A|X-"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1086; reference:url,powershellempire.com; classtype:trojan-activity; sid:45352; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/wp-admin/images/1.tif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45345; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/demo/xxx.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45344; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/daten/1/hgsydei.tif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45343; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/moduli/zolo.wg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45342; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/liveaccess/a1.rar"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45341; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/js/rts.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45340; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/custom/dhfjur74.vt"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/media/vsart.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45338; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/wp-admin/user/"; fast_pattern:only; http_uri; content:".tif"; http_uri; pcre:"/\x2fwp-admin\x2fuser\x2f\d{3}\x2etif/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45337; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/psd/"; fast_pattern; http_uri; content:".zip"; distance:0; http_uri; pcre:"/\x2fpsd\x2f[A-Z]{5,7}\x2ezip/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45336; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/bildergalerie/ast/"; fast_pattern; http_uri; content:".rar"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45335; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/demo/wwww.bin"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45334; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/abbazia/"; fast_pattern; http_uri; content:".bin"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45333; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/tmp/"; fast_pattern; http_uri; content:".vt"; distance:0; http_uri; pcre:"/\x2ftmp\x2f[a-z]{4,6}\x2evt/"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45332; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/_iserv/dlfiles/DT49456.rar"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/8932c9fb29bfbd56cd08519f517f8b088dce4bb97dfbb681b66f01775c38c9f6/analysis/; classtype:trojan-activity; sid:45331; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Backdoor.Triton Triton ICS malware transfer attempt"; flow:to_server,established; flowbits:isset,file.pyc|file.zip; file_data; content:"ts_"; fast_pattern:only; content:"Ts"; content:"pyc"; within:20; nocase; pcre:"/Ts_?[^\s]{2,6}\.pyc/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware; classtype:trojan-activity; sid:45478; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Triton Triton ICS malware transfer attempt"; flow:to_client,established; flowbits:isset,file.pyc|file.zip; file_data; content:"ts_"; fast_pattern:only; content:"Ts"; content:"pyc"; within:20; nocase; pcre:"/Ts_?[^\s]{2,6}\.pyc/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware; classtype:trojan-activity; sid:45477; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; urilen:7; content:"/httpd1"; fast_pattern:only; http_uri; content:"Wget/"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef7ee620ce09cd8edca81dc7866fbe87405c4a8ac88f985ac350269d8d081073/analysis/; classtype:trojan-activity; sid:45473; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; urilen:9; content:"/minerd32"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef7ee620ce09cd8edca81dc7866fbe87405c4a8ac88f985ac350269d8d081073/analysis/; classtype:trojan-activity; sid:45472; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; urilen:11; content:"/watchcat32"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ef7ee620ce09cd8edca81dc7866fbe87405c4a8ac88f985ac350269d8d081073/analysis/; classtype:trojan-activity; sid:45471; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; content:"/kelly6666/sm.txt"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/90024e7ce704b9a186964cf05bce65fa4b620fff5461036532cafd94db4ae050/analysis/; classtype:trojan-activity; sid:45470; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; content:"/kelly6666/lo.txt"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/90024e7ce704b9a186964cf05bce65fa4b620fff5461036532cafd94db4ae050/analysis/; classtype:trojan-activity; sid:45469; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC SambaCry ransomware download attempt"; flow:to_server,established; urilen:9; content:"/sambacry"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7ce136262994ca82b1123cde62caf69e42281eb258d641205ba59b55f5558684/analysis/; classtype:trojan-activity; sid:45468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pdf.Phishing.Agent variant outbound connection detected"; flow:to_server,established; content:"/cache/dropbox1/dropbox/"; fast_pattern:only; http_uri; content:"//cache/dropbox1/dropbox/"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,virustotal.com/en/file/940fe3a9514f64b6c80ee25541271be206421c4d80d08061d1fa3a9ff96298a8/analysis/; classtype:trojan-activity; sid:45483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rokrat file upload attempt"; flow:to_server,established; content:"/uploadfile"; http_uri; content:"filename=|22|pho_"; fast_pattern:only; http_client_body; pcre:"/filename\x3D\x22pho\x5F[A-F0-9]+?\x5f\d+?\x2Ejpg\x22/Pi"; content:"Content-Type: voice/mp3"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/171e26822421f7ed2e34cc092eaeba8a504b5d576c7fd54aa6975c2e2db0f824/detection; classtype:trojan-activity; sid:45510; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/wp-includes/pomo/"; nocase; http_uri; content:".pif"; within:20; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fb58d736c09fe1f05a36c2fe2c0ce3cfe03ece885ba8272000355e35600aef17/analysis/; classtype:trojan-activity; sid:45567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/xmlrpc/"; nocase; http_uri; content:".tif"; within:10; nocase; http_uri; pcre:"/\/xmlrpc\/\d{3,5}\x2etif/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fb58d736c09fe1f05a36c2fe2c0ce3cfe03ece885ba8272000355e35600aef17/analysis/; classtype:trojan-activity; sid:45566; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; http_header; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A 0D 0A|"; http_header; content:!"Cookie:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45564; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45563; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt"; flow:to_server,established; content:"/_x/_x.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/063f14091c811feb0b99de21d52dc55ca2ccb0c387b515e7407ea09a4337ceef/analysis/; classtype:trojan-activity; sid:45562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt"; flow:to_server,established; content:"User-Agent: Lock|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/063f14091c811feb0b99de21d52dc55ca2ccb0c387b515e7407ea09a4337ceef/analysis/; reference:url,www.virustotal.com/en/file/1436577b2b111fe299a1321e00543d0e8d49d827abde651faea7403e4bb38644/analysis/; classtype:trojan-activity; sid:45561; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.LockPoS outbound connection attempt"; flow:to_server,established; content:"/_x/update.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/1436577b2b111fe299a1321e00543d0e8d49d827abde651faea7403e4bb38644/analysis/; classtype:trojan-activity; sid:45560; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Velso ransomware download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5C|get_my_files.txt"; fast_pattern:only; content:"Velso"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/4c8cf7ce3836edceb540edeccae97ef182331f6ed93e678d2e33105d01e809bf/analysis/; classtype:trojan-activity; sid:45552; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Velso ransomware download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5C|get_my_files.txt"; fast_pattern:only; content:"Velso"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/4c8cf7ce3836edceb540edeccae97ef182331f6ed93e678d2e33105d01e809bf/analysis/; classtype:trojan-activity; sid:45551; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.xxmm second stage configuration download attempt"; flow:to_client,established; file_data; flowbits:isset,file.jpeg; content:"|FF D9|x|00|x|00|m|00|m|00|"; fast_pattern:only; content:"m|00|m|00|x|00|x|00|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/18e896a7547aacb33aa3941ab1b61659ed099c0f6fbb924068f81b4289b05f12/analysis/; classtype:trojan-activity; sid:45574; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rokrat variant outbound connection detected"; flow:to_server,established; content:".php?id="; http_uri; content:"fp_vs="; fast_pattern:only; http_uri; content:"os_vs="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9/detection; classtype:trojan-activity; sid:45607; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,1025:] (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection"; flow:to_server,established; content:"user-agent: libsfml-network/2.x"; fast_pattern:only; http_header; content:"from: user@sfml-dev.org"; nocase; http_header; content:"content-length: 64"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/af7a4f04435f9b6ba3d8905e4e67cfa19ec5c3c32e9d35937ec0546cce2dd1ff/analysis/; classtype:trojan-activity; sid:45658; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vermin outbound connection attempt"; flow:to_server,established; urilen:3; content:"FgMBAFoBAABWAwFacgyY47N9f2hbus+/VSalBB0qkdube/LuEYBfQoqL7QAAGAAvADUABQAKwBPAFMAJwAoAMgA4ABMABAEAABX/AQABAAAKAAYABAAXABgACwACAQA="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/5ee12dd028f5f8c2c0eb76f28c2ce273423998b36f3fc20c9e291f39825601f9/detection; classtype:trojan-activity; sid:45651; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Doc.Dropper.Lazarus initial download"; flow:to_server,established; flowbits:isset,file.doc; file_data; content:"kgw:18<Bg0y44"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/8170681ceb536131b91e284a560518f666f655c19643154184f762130358e9ca/analysis/; classtype:trojan-activity; sid:45648; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Doc.Dropper.Lazarus initial download"; flow:to_client,established; flowbits:isset,file.doc; file_data; content:"kgw:18<Bg0y44"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/8170681ceb536131b91e284a560518f666f655c19643154184f762130358e9ca/analysis/; classtype:trojan-activity; sid:45647; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure"; flow:to_server,established; content:"POST /is-return "; depth:16; fast_pattern; content:"User-Agent"; content:"|2D 7C 2D|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45646; rev:3;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s2|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s3|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45645; rev:3;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s1|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s1|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45644; rev:3;)
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s0|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s0|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45643; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent outbound connection"; flow:to_server,established; content:"Content-Length: 0"; fast_pattern:only; content:"User-Agent"; content:"|2D 7C 2D|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45642; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif variant outbound connection attempt"; flow:to_server,established; content:"/wp-includes/ID3/opds.tif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/264C92F7B91DD41A234BE261CAD448285365D26F4B128665C001D33AA44ACF07/analysis/; classtype:trojan-activity; sid:45675; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GandCrab outbound connection"; flow:to_server,established; content:"/curl.php?token="; fast_pattern:only; http_uri; content:"data="; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d/detection; classtype:trojan-activity; sid:45694; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [8043,8080,8843] (msg:"MALWARE-CNC Win.Trojan.CannibalRAT outbound upload attempt"; flow:to_server,established; content:"POST|20|/api/upload|20|"; depth:17; content:"User-Agent|3A 20|python-requests"; content:"name=|22|botid|22|"; fast_pattern:only; content:"name=|22|src|22|"; nocase; content:"name=|22|uploaded|22|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45773; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [8043,8080,8843] (msg:"MALWARE-CNC Win.Trojan.CannibalRAT outbound reporting attempt"; flow:to_server,established; content:"POST|20|/api/report|20|"; depth:17; content:"User-Agent|3A 20|python-requests"; content:"botid="; fast_pattern:only; content:"output="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/83d49f14ebb6641f1b813614a40e7df2d200096b8aae198e6298125f47b55b59/analysis/; classtype:trojan-activity; sid:45772; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [8043,8080,8843] (msg:"MALWARE-CNC Win.Trojan.CannibalRAT initial outbound connection"; flow:to_server,established; content:"POST|20|/api/"; depth:10; content:"/hello"; depth:300; content:"User-Agent|3A 20|python-requests"; fast_pattern:only; content:"|22|username|22 3A|"; content:"|22|hostname|22 3A|"; content:"|22|platform|22 3A|"; content:"|22|memory|22 3A|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/98bcb29912a8802d1a863d129d35876f7b2922146d2f05c17cd51ba907e617ba/analysis/; classtype:trojan-activity; sid:45771; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Saturn initial download"; flow:to_server,established; file_data; content:"|3C 90 A7 C3 20 1D FA FA 06 69 2A A7 CD FC FB FB FB 39 A2 3A 42 FC AB 3C 90 A7 C1 20 0D FE FE 3F|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/b3040fe60ac44083ef54e0c5414135dcec3d8282f7e1662e03d24cc18e258a9c/analysis/; classtype:trojan-activity; sid:45755; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Saturn initial download"; flow:to_client,established; file_data; content:"|3C 90 A7 C3 20 1D FA FA 06 69 2A A7 CD FC FB FB FB 39 A2 3A 42 FC AB 3C 90 A7 C1 20 0D FE FE 3F|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/b3040fe60ac44083ef54e0c5414135dcec3d8282f7e1662e03d24cc18e258a9c/analysis/; classtype:trojan-activity; sid:45754; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smominru outbound call"; flow:to_server,established; content:"/cudart32_65.dll"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referrer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d; classtype:trojan-activity; sid:45827; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Smominru outbound call"; flow:to_server,established; content:"/md5.txt"; depth:8; nocase; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Referrer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/f1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d; classtype:trojan-activity; sid:45826; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Ransomware.Thanatos"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1) Thanatos/1.1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9; classtype:trojan-activity; sid:45816; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex initial file download"; flow:to_server,established; file_data; content:"MZ"; depth:2; content:".coda"; depth:1000; content:".crt"; depth:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d2e29766acf5dab8b6b6a2c498a56e070a59329978e13faeedb9fc985884fe93/analysis/; classtype:trojan-activity; sid:45932; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex initial file download"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:".coda"; depth:1000; content:".crt"; depth:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d2e29766acf5dab8b6b6a2c498a56e070a59329978e13faeedb9fc985884fe93/analysis/; classtype:trojan-activity; sid:45931; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex initial file download"; flow:to_server,established; file_data; content:"MZ"; depth:2; content:".codu"; depth:1000; content:".crt"; depth:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d2e29766acf5dab8b6b6a2c498a56e070a59329978e13faeedb9fc985884fe93/analysis/; classtype:trojan-activity; sid:45930; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex initial file download"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:".codu"; depth:1000; content:".crt"; depth:1000; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d2e29766acf5dab8b6b6a2c498a56e070a59329978e13faeedb9fc985884fe93/analysis/; classtype:trojan-activity; sid:45929; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CobaltStrike outbound beacon command result"; flow:to_server; content:"/submit.php?id="; fast_pattern:only; http_uri; content:"Content-Type: application/octet-stream"; nocase; http_header; content:"|0D 0A 0D 0A|"; byte_jump:4,0,relative; isdataat:!1,relative; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45910; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC CobaltStrike trial version inbound beacon response"; flow:to_client; content:"X-Malware: X5O!P%@AP[4|5C|PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45909; rev:1;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record"; flow:to_client; content:"|03|aaa|05|stage"; fast_pattern; content:"|00 00 10 00 01 00 00 00 01 01 00 FF|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45908; rev:1;)
alert udp any any -> $HOME_NET 53 (msg:"MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record"; flow:to_server; content:"|03|aaa|05|stage"; nocase; content:"|00 00 10 00 01|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45907; rev:1;)
alert udp any any -> $HOME_NET 53 (msg:"MALWARE-CNC CobaltStrike DNS Beacon outbound A record"; flow:to_server; content:"|03|aaa|05|stage"; nocase; content:"|00 00 01 00 01|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45906; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check"; flow:to_client,established; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45962; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection"; flow:to_server,established; content:"Information"; depth:11; content:"false|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45961; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Silverstar outbound connection"; flow:to_server,established; content:"response=fallback"; fast_pattern:only; http_uri; content:"/api.php?"; depth:9; http_uri; content:"gpu="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3f751799a501532f43ca5f12fe80aa0bad78f9f5d57e76bf49b401bb99f355df/detection; classtype:trojan-activity; sid:45960; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.PyCryptoMiner outbound connection"; flow:to_server,established; content:"/api"; depth:4; http_uri; content:"action=get&name=jboss"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/file/d47d2aa3c640e1563ba294a140ab3ccd22f987d5c5794c223ca8557b68c25e0d/analysis/1519876147/; classtype:trojan-activity; sid:45956; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; content:"/resp?"; depth:6; http_uri; pcre:"/\/resp\?[A-F0-9]+?(AAZ|ABZ)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f/analysis/; classtype:trojan-activity; sid:45948; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; content:"/chk?"; depth:6; http_uri; pcre:"/\/chk\?[A-F0-9]+?$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f/analysis/; classtype:trojan-activity; sid:45947; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection attempt"; flow:to_server,established; content:"/what?"; depth:6; http_uri; pcre:"/\/what\?[A-F0-9]+?$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/231115a614c99e8ddade4cf4c88472bd3801c5c289595fc068e51b77c2c8563f/analysis/; classtype:trojan-activity; sid:45946; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkSky variant outbound connection"; flow:to_server,established; urilen:>160; content:"/activation.php?key="; nocase; http_uri; content:"User-Agent: 2zAz"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/042614cc004f7a5236355cf66531f3b8becabb10a6d6bde9ddae772e2be54fdd/analysis/; classtype:trojan-activity; sid:45945; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Odinaff C&C"; flow:to_client,established; ssl_state:server_hello; content:"|31 0B 30 09 06 03 55 04 06 13 02|--"; content:"|31 12 30 10 06 03 55 04 08 0C 09|SomeState"; content:"|31 11 30 0F 06 03 55 04 07 0C 08|SomeCity"; content:"|31 19 30 17 06 03 55 04 0A 0C 10|SomeOrganization"; content:"|31 1F 30 1D 06 03 55 04 0B 0C 16|SomeOrganizationalUnit"; content:"|31 0F 30 0D 06 03 55 04 03 0C 06|thabet"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098/analysis/1477342434/; classtype:trojan-activity; sid:45944; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC known malicious SSL certificate - Odinaff C&C"; flow:to_client,established; ssl_state:server_hello; content:"|31 0B 30 09 06 03 55 04 06 13 02|XX"; content:"|31 15 30 13 06 03 55 04 07 0C 0C|Default City"; content:"|31 1C 30 1A 06 03 55 04 0A 0C 13|Default Company Ltd"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098/analysis/1477342434/; classtype:trojan-activity; sid:45943; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket"; fast_pattern:only; content:"|74 00 13|Lcom/net/LoginData"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45979; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Suspected Unix.Malware.GoScanSSH outbound beacon attempt"; flow:established,to_server; content:"Host: "; http_header; content:".onion."; within:7; distance:16; http_header; urilen:>400; pcre:"/^\x2F[a-zA-Z0-9_\x2D]{400}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a390df91a70c6d745ec1ee660008964a476e0bb9f1e4e15314ab7117221f3832/detection; classtype:trojan-activity; sid:45974; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [2050,7020,7628] (msg:"MALWARE-CNC Win.Trojan.Chafer malicious communication attempt"; flow:established,to_server; content:"/update.php|3F|"; content:"req|3D|"; content:"m|3D|b"; content:!"User-Agent"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/91b58105c4470a5d51b8037b8715524ab021b7fb9f05e9879d4d22ef705e78f0/analysis; classtype:trojan-activity; sid:45973; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [2050,7020,7628] (msg:"MALWARE-CNC Win.Trojan.Chafer malicious communication attempt"; flow:established,to_server; content:"/update.php|3F|"; content:"req|3D|"; content:"m|3D|d"; content:!"User-Agent"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/36909773f0537abd863348c9cf44a1d5d6c5e77badf7df075378e0e51c52f7de/analysis; classtype:trojan-activity; sid:45972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mobef variant outbound connection attempt"; flow:to_server,established; content:"/fukkha.php"; fast_pattern; http_uri; content:"a=286490"; within:50; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/aa2c9c02def2815aa24f5616051aa37e4ce002e62f507b3ce15aac191a36e162/analysis/; classtype:attempted-user; sid:46047; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"id="; depth:3; http_client_body; content:"&pc="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"cnumber="; http_uri; content:"orname="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46069; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module download request"; flow:to_server,established; content:"/football/download/"; depth:19; http_uri; content:!"User-Agent|3A|"; nocase; http_header; content:!"Accept|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"pc="; http_client_body; content:"pc_data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; content:"ball="; http_client_body; content:"score="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46066; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sigma outbound connection"; flow:to_server,established; urilen:10; content:"/email.bin"; fast_pattern:only; http_uri; content:"User-Agent: Microsoft BITS/"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/55f497f3728c57d284bd710bb517d6d2c56f0a6cc2248cfaf649294655abc1bc/analysis/; classtype:trojan-activity; sid:46065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46052; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity; sid:46051; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"[^8]&&&"; fast_pattern:only; content:"[^8]&&&"; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46050; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fosniw variant connection attempt"; flow:to_server,established; content:"app.asp?prj="; http_uri; content:"logdata=MacTryCnt:0&code="; within:100; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b0f4f14e9c5e800f0534620ed685f8e21e46829cdb6065006c21b12b806519e4/detection; classtype:trojan-activity; sid:46049; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound communication"; flow:established,to_server; content:"/A56WY"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:46048; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Modimer Trojanized MediaGet outbound connection"; flow:to_server,established; content:"video_associations="; fast_pattern:only; http_client_body; content:"/start.php"; http_uri; urilen:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,cloudblogs.microsoft.com/microsoftsecure/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak/; classtype:trojan-activity; sid:46099; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection"; flow:to_server,established; urilen:14; content:"/123/index.php"; fast_pattern:only; http_uri; content:"="; depth:1; offset:1; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1/detection; classtype:trojan-activity; sid:46141; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection"; flow:to_server,established; urilen:14; content:"/555/index.php"; fast_pattern:only; http_uri; content:"="; depth:1; offset:1; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1/detection; classtype:trojan-activity; sid:46140; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection"; flow:to_server,established; urilen:14; content:"/777/index.php"; fast_pattern:only; http_uri; content:"="; depth:1; offset:1; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1/detection; classtype:trojan-activity; sid:46139; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Bandarchor variant outbound connection"; flow:to_server,established; urilen:14; content:"/345/index.php"; fast_pattern:only; http_uri; content:"="; depth:1; offset:1; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1/detection; classtype:trojan-activity; sid:46138; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt"; flow:to_server,established; content:"POST /b/req/"; depth:12; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/octet-stream|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/"; within:103; distance:24; content:")|0D 0A|Host: "; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:46137; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; content:"remetente="; depth:10; fast_pattern; http_client_body; content:"&destinatario"; distance:0; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46136; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"MALWARE-CNC Win.Trojan.Krodown variant connection attempt"; flow:to_server,established; file_data; content:"http://"; depth:7; content:":8888/5.txt"; within:40; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d5d5831105b5f4e048091e5a46c6d02820c768de340970b4614bc1dae74f86ee/analysis/; classtype:trojan-activity; sid:46135; rev:1;)
alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Krodown variant connection attempt"; flow:to_client,established; file_data; content:"echo"; content:">>%systemroot%|5C|system32|5C|drivers|5C|etc|5C|hosts.ics"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d5d5831105b5f4e048091e5a46c6d02820c768de340970b4614bc1dae74f86ee/analysis/; classtype:trojan-activity; sid:46134; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HW32 variant outbound connection"; flow:to_server,established; content:"Cpa=+EXEC+"; depth:10; http_client_body; content:"%27%2C%27"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0b2e8a9413d3b34d532d553922bd402830c1784302fc8ecaeeee17e826798d46/analysis/; classtype:trojan-activity; sid:46129; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Coldroot RAT outbound connection"; flow:to_server,established; content:"|22|PCName|22|:"; fast_pattern:only; content:"|22|Ver|22|:"; nocase; content:"|22|Serial|22|:"; nocase; content:"|22|OS|22|:"; nocase; content:"|22|ID|22|:"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/c20980d3971923a0795662420063528a43dd533d07565eb4639ee8c0ccb77fdf/detection; classtype:trojan-activity; sid:46156; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix file upload attempt"; flow:to_server,established; content:"/images/"; http_uri; content:".bmp"; http_uri; content:"filename=|22|D73B.bin"; fast_pattern:only; http_client_body; content:"MSCF"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/detection; classtype:trojan-activity; sid:46253; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt"; flow:established,to_server; content:"/OU/nc.dat"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/analysis; classtype:trojan-activity; sid:46252; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt"; flow:established,to_server; content:"/OU/freddie.php|3F|"; content:"l|3D|"; content:"brandg"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/analysis; classtype:trojan-activity; sid:46251; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt"; flow:established,to_server; content:"/FBB/brandg.class"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/analysis; classtype:trojan-activity; sid:46250; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt"; flow:established,to_server; content:"/OU/stem.php|3F|"; content:"utma|3D|"; content:"brandg"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/analysis; classtype:trojan-activity; sid:46249; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt"; flow:to_server,established; file_data; content:"User-Agent"; nocase; http_header; content:"Rarog"; within:200; fast_pattern; nocase; http_header; pcre:"/User-Agent\s*:[^\r\n]*Rarog/iH"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46240; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/4.0/method/"; depth:12; nocase; http_uri; pcre:"/\/4\.0\/method\/(check|cores|installSuccess|modules|threads|blacklist)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46239; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rarog outbound communication attempt"; flow:to_server,established; file_data; content:"POST"; nocase; http_method; content:"/2.0/method/"; depth:12; nocase; http_uri; pcre:"/\/2\.0\/method\/(checkConnection|config|delay|error|get|info|setOnline|update)/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46238; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dofoil file download attempt"; flow:established,to_server; content:"/15022018/"; fast_pattern:only; http_uri; content:"Host|3A|"; http_header; content:".bit"; distance:1; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d/analysis; classtype:trojan-activity; sid:46236; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dofoil outbound connection attempt"; flow:established,to_server; content:"/smidSdkjkk/gate.php"; fast_pattern:only; http_uri; content:"client_id|3D|"; http_uri; content:"connected|3D|"; http_uri; content:"server_port|3D|"; http_uri; content:"debug|3D|"; http_uri; content:"sm_id|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d/analysis; classtype:trojan-activity; sid:46235; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blackshades variant outbound communication"; flow:to_server,established; content:"/system/classes/alive.php"; fast_pattern:only; http_uri; content:"?key="; nocase; http_uri; content:"&pcuser="; nocase; http_uri; content:"&pcname="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/86f83fe8dfe6a0bce639e12876d983bb9dbe94d4b1db5062144a93780c1916d9/analysis/; classtype:trojan-activity; sid:46210; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt"; flow:established,to_server; file_data; content:"|24 66 61 3D 27 5A 6E 56 75 59 33 52 70 62 32 34 67 53 57 35 32 62 32 74 6C 4C 56 64 4E 53 55 56|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/3f287e29bcb10b200439626d97dd49521816c8dc847797f5acc7ebfe25b4efc4/analysis/; classtype:trojan-activity; sid:46203; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt"; flow:established,to_client; file_data; content:"|24 66 61 3D 27 5A 6E 56 75 59 33 52 70 62 32 34 67 53 57 35 32 62 32 74 6C 4C 56 64 4E 53 55 56|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/3f287e29bcb10b200439626d97dd49521816c8dc847797f5acc7ebfe25b4efc4/analysis/; classtype:trojan-activity; sid:46202; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Bandios inbound delivery attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"1Q2a3k79"; fast_pattern:only; content:"MD5Final"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/ee3302fc5fca16f74a9fed36f14db4139ca3d9f8a4528e67797862dd91b7f5be/community; classtype:trojan-activity; sid:46286; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Bandios inbound delivery attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"1Q2a3k79"; fast_pattern:only; content:"MD5Final"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/ee3302fc5fca16f74a9fed36f14db4139ca3d9f8a4528e67797862dd91b7f5be/community  ; classtype:trojan-activity; sid:46285; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bandios user agent outbound communication attempt"; flow:to_server,established; content:"User-Agent|3A| DoPost"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2; classtype:trojan-activity; sid:46284; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sanny malware variant FTP login"; flow:to_server,established; content:"USER cnix_21072852|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/#/file/b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4/detection; classtype:trojan-activity; sid:46272; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sanny malware variant FTP login"; flow:to_server,established; content:"PASS vlasimir2017|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp; reference:url,www.virustotal.com/#/file/b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4/detection; classtype:trojan-activity; sid:46271; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Sanny URI request for known malicious URI"; flow:to_server,established; content:"/3.txt"; fast_pattern:only; http_uri; urilen:6; content:"User-Agent: Microsoft-CryptoAPI/6.1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4/detection; classtype:trojan-activity; sid:46270; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Sanny URI request for known malicious URI"; flow:to_server,established; content:"/1.txt"; fast_pattern:only; http_uri; urilen:6; content:"User-Agent: Microsoft-CryptoAPI/6.1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4/detection; classtype:trojan-activity; sid:46269; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Sanny URI request for known malicious URI"; flow:to_server,established; content:"/2.txt"; fast_pattern:only; http_uri; urilen:6; content:"User-Agent: Microsoft-CryptoAPI/6.1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b0f30741a2449f4d8d5ffe4b029a6d3959775818bf2e85bab7fea29bd5acafa4/detection; classtype:trojan-activity; sid:46268; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Matrix outbound connection"; flow:to_server,established; content:"add.php?apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,"www.virustotal.com/#/file/996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9/detection"; classtype:trojan-activity; sid:46339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:established,to_server; content:"IHkoeWRrcnkpIikqNy95ZCB5LSl5ZCB5"; depth:40; fast_pattern; http_client_body; content:!"Referer|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/fd08f6bc823cbfa495f0568ba4284e02f1cad57e56bd04ef0a0b948ea9dddee4/details; classtype:trojan-activity; sid:46378; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/p/wokaixin158998/detail"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/c65318aa58c9091b938948b62c4b5d6e47237697d8d2f96863f99ef177b6818d/detection; classtype:trojan-activity; sid:46364; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/p/haoxingfu12389/detail"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/c65318aa58c9091b938948b62c4b5d6e47237697d8d2f96863f99ef177b6818d/detection; classtype:trojan-activity; sid:46363; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/p/haoxingfu88/detail"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/c65318aa58c9091b938948b62c4b5d6e47237697d8d2f96863f99ef177b6818d/detection; classtype:trojan-activity; sid:46362; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/abfdbnas3"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/aa183fda57fde0137ab931f3729215956e6f9ee158d90ed82151948f70db841b/detection; classtype:trojan-activity; sid:46361; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/cdvsvfa2"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/aa183fda57fde0137ab931f3729215956e6f9ee158d90ed82151948f70db841b/detection; classtype:trojan-activity; sid:46360; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/asbfdee1"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/aa183fda57fde0137ab931f3729215956e6f9ee158d90ed82151948f70db841b/detection; classtype:trojan-activity; sid:46359; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/user/329505325"; fast_pattern:only; http_uri; content:"Host: my.tv.sohu.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/aa183fda57fde0137ab931f3729215956e6f9ee158d90ed82151948f70db841b/detection; classtype:trojan-activity; sid:46358; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/user/329505231"; fast_pattern:only; http_uri; content:"Host: my.tv.sohu.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/detection; classtype:trojan-activity; sid:46357; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Wroba outbound connection"; flow:to_server,established; content:"/user/329505338"; fast_pattern:only; http_uri; content:"Host: my.tv.sohu.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/5916b8c0c0668d106ebfcad97eb5c90687c873a732eb61f00e5d7033f8fd85ed/detection; classtype:trojan-activity; sid:46356; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46439; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46438; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A"; fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46437; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A"; fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46436; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string "; flow:to_server,established; content:"User-Agent|3A| USR-KL"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46435; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Doyo client outbound connection"; flow:established,to_server; content:"|01 00 00 00 01 01 00 00 01 00 00 00 00 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46434; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Doyo initial connection"; flow:established, to_server; content:"data=85702b2fccafcb2f"; depth:21; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46433; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kraens initial outbound request"; flow:to_server,established; content:"/up_d.php"; fast_pattern:only; http_uri; content:"{|22|i|22|:"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46423; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:["; fast_pattern:only; content:"RES_OK"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46422; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:["; fast_pattern:only; content:"RES_OK"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46421; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spyware.Autoit outbound connection"; flow:to_server,established; content:"win32=FFD8FFE000104A464946"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ac4e164b463c313af059760ce1f830c19b0d5a280ec80554e8f77939143e24e; classtype:trojan-activity; sid:46416; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Bitvote miner kernel driver payload download attempt"; flow:to_client,established; flowbits:isset,file.gif; file_data; content:"lKTD"; fast_pattern; content:"MZ"; within:50; content:"This program cannot be run in DOS mode"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/019426698cb1cc733024c38d0d09ff5dcac1ad9cf81d26c092a278f72f131e59/analysis/; classtype:trojan-activity; sid:46407; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Bitvote miner kernel driver outbound request attempt"; flow:to_server,established; content:"/dr.php"; fast_pattern:only; http_uri; content:"mid="; nocase; http_client_body; content:"agentid="; nocase; http_client_body; content:"idx="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/019426698cb1cc733024c38d0d09ff5dcac1ad9cf81d26c092a278f72f131e59/analysis/; classtype:trojan-activity; sid:46406; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?&1001="; fast_pattern:only; http_uri; content:"1="; http_client_body; content:"2="; http_client_body; pcre:"/(^|&)\d{1,2}=[^&]*?\d{4}/Pm"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46502; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?&1001="; fast_pattern:only; http_uri; content:"99="; http_uri; content:"f1="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46501; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ammy download attempt"; flow:to_server,established; content:"/q2/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&c="; http_uri; content:"&mk="; http_uri; content:"&il="; http_uri; content:"&vr="; http_uri; content:"&bt="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46488; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ammy heartbeat"; flow:to_server,established; content:"id="; depth:3; offset:5; content:"&os="; within:4; distance:8; content:"&priv="; distance:0; content:"&cred="; distance:0; content:"&pcname="; distance:0; content:"&build_time="; distance:0; fast_pattern; content:"&card="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46487; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration"; flow:established,to_server,only_stream; content:"GET /v1 HTTP/1.1"; depth:16; fast_pattern; content:"Connection: "; http_header; content:"User-Agent: "; http_header; content:"Accept-Encoding: "; http_header; content:"Accept-Language: "; http_header; content:"Host: "; http_header; detection_filter:track by_src,count 3,seconds 6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt"; flow:to_server,established; file_data; content:"%TEMP%|5C|MonoCecil"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/ff067b9450decd99ba6fccb3eaa15ed669e9bb40d4b24e131e51e9e3570073b0; classtype:trojan-activity; sid:46479; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt"; flow:to_server,established; file_data; content:"%TEMP%|5C|Microsoft_SQL_SDKs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/ff067b9450decd99ba6fccb3eaa15ed669e9bb40d4b24e131e51e9e3570073b0; classtype:trojan-activity; sid:46478; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt"; flow:to_client,established; file_data; content:"%TEMP%|5C|Microsoft_SQL_SDKs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/ff067b9450decd99ba6fccb3eaa15ed669e9bb40d4b24e131e51e9e3570073b0; classtype:trojan-activity; sid:46477; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.SquirtDanger inbound delivery attempt"; flow:to_client,established; file_data; content:"%TEMP%|5C|MonoCecil"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/1f42c85b43acdaaf98f6f522bd5394c5351ca7cf27187e3c08d32f18fa00fc32; classtype:trojan-activity; sid:46476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.SquirtDanger get module list outbound request"; flow:to_server,established; content:"IConnector|0D|GetModuleList"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/90ac1fb148ded4f46949a5fea4cd8c65d4ea9585046d66459328a5866f8198b2; classtype:trojan-activity; sid:46475; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/tm/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46591; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/pz/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46590; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/mn/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46589; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/kk/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46588; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/gr/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/5ad70ea6d1477d48170793ccf5adb482eb0bad21e9d1a4ba95937049bd24532d/detection; classtype:trojan-activity; sid:46587; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/tm.zip"; http_uri; pcre:"/\/\d{8}\/tm\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46586; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/pz.zip"; http_uri; pcre:"/\/\d{8}\/pz\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46585; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/mn.zip"; http_uri; pcre:"/\/\d{8}\/mn\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46584; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/kk.zip"; http_uri; pcre:"/\/\d{8}\/kk\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46583; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/gr.zip"; http_uri; pcre:"/\/\d{8}\/gr\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46582; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ap.zip"; http_uri; pcre:"/\/\d{8}\/ap\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46581; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/al.zip"; http_uri; pcre:"/\/\d{8}\/al\.zip/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46580; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious system information disclosure"; flow:to_server,established; file_data; content:"vv="; content:"vw="; content:"mods="; content:"uname="; content:"cname="; content:"os="; content:"is="; content:"iss="; content:"iav="; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/aca39ba30759eaf9fbfc911aadfb9a61ef1bf70bcd35bebcd8161a48660a3228/detection; classtype:trojan-activity; sid:46579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious system information disclosure"; flow:to_server,established; content:"/av/"; http_uri; content:"/page2.php"; distance:2; http_uri; content:"AT="; http_client_body; content:"MD="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/223d79984a171b854b72026f6ca0c7a24bbc229db91ab6e26639af4a2de0da1e/detection; classtype:trojan-activity; sid:46578; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/ap/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46577; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/ilha/al/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46576; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/mbvbs/"; http_uri; content:".zip"; distance:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a279131ec03d0c6a148f6db6e5263a588724531325cd52d2bd0917311c8268d6/detection; classtype:trojan-activity; sid:46575; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload malicious file download"; flow:to_server,established; content:"/xver/"; http_uri; content:".zip"; distance:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ba5062343ac64a138251b3f54861c85773b357cff0d007538099981b8eadd425/detection; classtype:trojan-activity; sid:46574; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Gandcrab variant outbound connection"; flow:to_server,established; content:".bit|0D 0A|"; http_header; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ad48c3770736588b17b4af2599704b5c86ff8ae6dadd30df59ea2b1ccc221f9c/analysis/; classtype:trojan-activity; sid:46636; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Rubella Macro Builder generated payload"; flow:to_client,established; file_data; content:"Dim"; content:"reat"; content:"|22|ell"; within:75; fast_pattern; pcre:"/V(BA|.BA|B.A).{0,50}C(.reate|r.eate|re.ate|rea.te|reat.e|reate).{0,75}\x22ell/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/71ce7315d302a7d3ec6fac6534f262de213be59a19f84182c94b182cbe277f14/detection; classtype:trojan-activity; sid:46631; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Rubella Macro Builder generated payload"; flow:to_client,established; file_data; content:"Dim"; content:"reat"; content:"ell|22|"; within:75; fast_pattern; pcre:"/V(BA|.BA|B.A).{0,50}C(.reate|r.eate|re.ate|rea.te|reat.e|reate).{0,75}ell\x22/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/71ce7315d302a7d3ec6fac6534f262de213be59a19f84182c94b182cbe277f14/detection; classtype:trojan-activity; sid:46630; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Rubella Macro Builder generated payload"; flow:to_server,established; file_data; content:"Dim"; content:"reat"; content:"ell|22|"; within:75; fast_pattern; pcre:"/V(BA|.BA|B.A).{0,50}C(.reate|r.eate|re.ate|rea.te|reat.e|reate).{0,75}ell\x22/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/71ce7315d302a7d3ec6fac6534f262de213be59a19f84182c94b182cbe277f14/detection; classtype:trojan-activity; sid:46629; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Rubella Macro Builder generated payload"; flow:to_server,established; file_data; content:"Dim"; content:"reat"; content:"|22|ell"; within:75; fast_pattern; pcre:"/V(BA|.BA|B.A).{0,50}C(.reate|r.eate|re.ate|rea.te|reat.e|reate).{0,75}\x22ell/s"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/71ce7315d302a7d3ec6fac6534f262de213be59a19f84182c94b182cbe277f14/detection; classtype:trojan-activity; sid:46628; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Unruy outbound callout"; flow:to_server,established; content:".php?q="; fast_pattern:only; http_uri; content:"Accept-Language: en-us"; http_header; content:"Accept-Encoding: gzip, deflate"; http_header; content:"Connection: Keep-Alive"; http_header; content:"Referer: http://www.google.com"; http_header; pcre:"/.php\?q=\d{1,4}\.\d{2,4}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.[0-9a-f]{64}\.1.\d{4,6}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46612; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload second stage download request"; flow:established,to_server; isdataat:!100; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3A 20|http"; http_header; content:".zip HTTP/1.1|0D 0A|Host|3A 20|"; fast_pattern:only; pcre:"/GET \/\w*.zip HTTP\/1.1\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:46611; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackIce variant outbound connection"; flow:to_server,established; content:"/blackice/"; nocase; http_uri; content:"User-Agent: blackice/1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2acafc3bd1b5355971f48b456cf697e67e55624cc5095ae7ebac05a48a80ba0e/detection; classtype:trojan-activity; sid:46609; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blackshades variant outbound communication"; flow:to_server,established; content:"/system/classes/fg.php?key="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/86f83fe8dfe6a0bce639e12876d983bb9dbe94d4b1db5062144a93780c1916d9/analysis/; classtype:trojan-activity; sid:46608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downloader.Crossrider outbound download request"; flow:to_server,established; content:"/sdl/mmStub.tar.gz?ts="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5b57f555f1d0500026235635ef8d761306bb4a8a8d25762677734eed269298bf/detection; classtype:trojan-activity; sid:46700; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Brontok user-agent outbound connection"; flow:to_server,established; content:"User-Agent|3A| Administrator"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9b504da9e77ec067b0577b557443f76e84717cb00455ce39138eeaf344f3d2e3/analysis/; classtype:trojan-activity; sid:46642; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:established,to_server; content:"|00 05|child|01 00 16|"; depth:11; content:"|22|magic|22|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46748; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:established,to_server; content:"|00 07|nemesis"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46747; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt"; flow:to_client,established; content:"Content-Type:"; nocase; http_header; content:"application/java-vm"; within:50; fast_pattern; http_header; file_data; content:"MZ"; depth:2; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46744; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt"; flow:to_server,established; content:".php?utma"; fast_pattern:only; http_uri; content:!"Referer:"; nocase; http_header; pcre:"/(stem|slick)\.php\?utma/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46743; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper malicious script download attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"ActiveXObject"; nocase; content:"WScript.Shell"; fast_pattern; nocase; content:"p o w e r s h e l l"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46742; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dharma ransomware dropper outbound connection"; flow:to_server,established; content:"/infolan.php"; fast_pattern:only; http_uri; content:"|7B 22|LanCnt|22 3A|"; depth:10; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d913558f256224e6352b12cb6137ad8a789670b6c4d3a3a665ba8a0b961b2828/analysis/; classtype:trojan-activity; sid:46796; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dharma ransomware dropper initial outbound connection"; flow:to_server,established; content:"User-Agent|3A| infobot|0D 0A|"; fast_pattern:only; http_header; content:"|22|userpass|22|"; http_client_body; content:"|22|bits|22|"; http_client_body; content:"|22|disk|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a39af09bf65d8942d0c943151cdde8c04b302c5c0b115ab80759e226b50e743b/analysis/; classtype:trojan-activity; sid:46795; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Outbound malicious vbscript attempt"; flow:to_server,established; file_data; content:"/ilha/"; fast_pattern; nocase; http_uri; content:"logs.php"; within:9; distance:2; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46792; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/spyMobile/upload.php"; fast_pattern:only; http_uri; content:"iemi="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46790; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/get/index.php"; http_uri; content:"id=Z29nbw=="; fast_pattern:only; http_uri; content:"user="; http_uri; content:"pass="; http_uri; content:"data="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46789; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/telg/index.php?set=show"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46788; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/telg/sv/sv.php"; fast_pattern:only; http_uri; content:"id"; http_client_body; content:"data"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46787; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Zebrocy initial outbound request"; flow:to_server,established; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46786; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string"; flow:to_server,established; content:"User-Agent|3A| Mozilla v5.1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46785; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_server,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46783; rev:5;)
alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_client,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46782; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vega variant outbound connection detected"; flow:to_server,established; content:"/foaf.php"; fast_pattern:only; http_uri; urilen:9; content:"c="; nocase; http_client_body; isdataat:1000,relative; content:!"&"; within:1000; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign; classtype:trojan-activity; sid:46838; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Vega variant outbound connection detected"; flow:to_server,established; content:"/lipomargara/lossyc.yarn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign; classtype:trojan-activity; sid:46837; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Vega variant outbound connection detected"; flow:to_server,established; content:"/cachedmajsoea/index.php?e=lossyc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign; classtype:trojan-activity; sid:46836; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|"; depth:32; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.N40 variant outbound connection"; flow:to_server,established; content:"/ponto.php"; fast_pattern:only; http_uri; content:"GENERAL="; depth:8; http_client_body; content:"&VERSAO="; within:75; http_client_body; content:"&NAVEGADOR="; within:75; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/bd5c8d44b1ec1a4ba712aa7e853f89d934bd459a2e502d4fce83b4be9cc90ca3/analysis/; classtype:trojan-activity; sid:46821; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.QuantLoader variant outbound connection attempt"; flow:to_server,established; content:"/main/index.php"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"c="; http_uri; content:"mk="; http_uri; content:"il="; http_uri; content:"vr="; http_uri; content:"bt="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/502497f5d165b64a2e287d77a06b34abcdedff227089217a874f49f58b536e92/analysis/; reference:url,virustotal.com/en/file/b87e0dd9b0e032c6d2d5f0bf46f00243a2a866bf1d3d22f8b72737b4aa1148eb/analysis/; classtype:trojan-activity; sid:46820; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Satan outbound connection"; flow:to_server,established; content:"/data/token.php"; fast_pattern:only; http_uri; content:"status="; nocase; http_uri; content:"code="; nocase; http_uri; content:"Winnet Client"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46818; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC GPON botnet outbound communication"; flow:to_server,established; content:"/r -O -"; fast_pattern:only; http_uri; content:"/r+-O+-"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46842; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; content:".NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length"; fast_pattern:only; http_header; urilen:<20; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; http_header; content:!"Content-Type"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/analysis/; classtype:trojan-activity; sid:46839; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 20480 (msg:"MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt"; flow:to_server,established; content:"+CHANNEL|0B|"; fast_pattern:only; content:"line-client"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46873; rev:1;)
alert tcp $EXTERNAL_NET 20480 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CowerSnail command and control response detected"; flow:to_client,established; content:"pk"; depth:2; content:"R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; content:"|00|a|00|r|00|g|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46872; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.NavRat payload download"; flow:to_server,established; content:"/skin_board/s_build_cafeblog/exp_include/img.png"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574/analysis/; classtype:trojan-activity; sid:46871; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal outbound connection"; flow:to_server,established; content:"/server/gate.php"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; content:"name=|22|pcount|22|"; http_client_body; content:"name=|22|cccount|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e/analysis/; classtype:trojan-activity; sid:46895; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Worm.SysinfY2X outbound beacon"; flow:established,to_server; content:"bot/lancer/index.php?cmd="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fe9c78249937d57aaed2792238caeea298e715d9cf261add1fbfbaeeab084d40/detection; classtype:trojan-activity; sid:46894; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Joanap variant outbound connection"; flow:to_server,established; content:"TO: Joana <xiake722@gmail.com>"; fast_pattern:only; content:"SUBJECT: |5B|T|5D|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; classtype:trojan-activity; sid:46885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DarkSeoul variant payload download"; flow:to_server,established; content:"/e107/e107_files/js/e107_001.cab"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6c627a4be54b6377af9f73ab0923aeebcccbb57ec94e995a2171deb69d61af9d/analysis/; classtype:trojan-activity; sid:46959; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt"; flow:to_client,established; file_data; content:"[|22 5C|x69|5C|x64|22|]=|27||5C|x6d|5C|x5f|5C|x67|5C|x5f|5C|x61|27|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/b672224d6d3776da343ae0e15c32815082aa514805b5efe47fb2c678c861d534/detection; classtype:trojan-activity; sid:46946; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper outbound connection"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/analysis/; classtype:trojan-activity; sid:46936; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/panel/logout.php"; depth:17; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity; sid:46922; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name=|22|board_id|22|"; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|user_id|22|"; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|file1|22|"; http_client_body; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8/detection; reference:url,www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292/detection; classtype:trojan-activity; sid:46970; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection"; flow:to_server,established; urilen:10; content:"/mainls.cs"; fast_pattern:only; http_uri; content:"Content-Type: application/octet-stream"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47/detection; classtype:trojan-activity; sid:46969; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=T&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46968; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=F&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46967; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=S&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46966; rev:1;)
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Backswap self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"SomeOrganizationalUnit"; fast_pattern:only; content:"root@DS848885.clientshostname.com"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/#/file/5349a0c06823fa285faa31381b5566b2a3d8990f6a5b6775288471caa35f8516; classtype:trojan-activity; sid:46965; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ammyy RAT outbound connection"; flow:to_server,established; content:"&priv="; content:"&cred="; fast_pattern:only; content:"&pcname="; content:"&avname="; content:"&build_time="; content:"&card="; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/bab69fb29c167451608f0840ede9dfb4c3c52fa0da5f38089ac7f2afbd94d867/detection; classtype:trojan-activity; sid:46964; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Taplika toolbar download attempt"; flow:to_server,established; content:"php?context="; fast_pattern:only; http_uri; content:"&status="; http_uri; content:"&sesid="; http_uri; content:"&iid="; http_uri; content:"&cd="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/6a9b041b65d699da4ecb66b2c0a7321e82a81b4aae03f0d7b7382f8d598bc471/analysis/; classtype:trojan-activity; sid:46963; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yoban RAT outbound connection"; flow:to_server,established; content:"7n6HZllH="; fast_pattern:only; content:"/ch49/"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/80384531435a6281a53f8d2b6f10a9aa80c199fac9f7684d7be4c53922b5e773/detection; classtype:trojan-activity; sid:46985; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yoban RAT outbound connection"; flow:to_server,established; content:"/newbuild/t.php?stats="; fast_pattern:only; http_uri; content:"&thread="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/80384531435a6281a53f8d2b6f10a9aa80c199fac9f7684d7be4c53922b5e773/detection; classtype:trojan-activity; sid:46984; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|02|"; within:1; distance:3; content:"|0C|Orcus Server"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/en/file/8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a/analysis/; classtype:trojan-activity; sid:46981; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,1337,5156] (msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"/uploads/excutbls/h/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47006; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000,5156,7218] (msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"POST /cl/uplod/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47005; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [1433,5003] (msg:"MALWARE-CNC Win.Trojan.MnuBot variant outbound SQL connection"; flow:to_server,established; content:"S|00|E|00|T|00 20 00|F|00|M|00|T|00|O|00|N|00|L|00|Y|00 20 00|O|00|N|00 20 00|s|00|e|00|l|00|e|00|c|00|t|00 20 00|*|00 20 00|f|00|r|00|o|00|m|00 20 00|x|00|g|00|o|00|r|00|d|00|o"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/7e8ee86a1170ca5bbac64b5cab8817a4e65e76a78d36e242fba3755338174781/; classtype:trojan-activity; sid:46998; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Malware.Innaput variant outbound connection"; flow:established,to_server,no_stream; isdataat:!60; isdataat:59; content:"|00 00 00 00|"; depth:4; pcre:"/^\x00\x00\x00\x00[0-9a-f]{24}\x00/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/1570e5d88d14111fb0293fdb9764f34ff19550a1f97c9dee684607924f5a3bb4/detection; classtype:trojan-activity; sid:47030; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection detected"; flow:to_server,established; content:"/search.php"; fast_pattern:only; http_uri; content:"var="; nocase; http_uri; content:"name="; nocase; http_uri; content:"n="; nocase; http_uri; content:"o="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection detected"; flow:to_server,established; content:"/config.php"; fast_pattern:only; http_uri; content:"inst="; nocase; http_uri; content:"name="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47026; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Syndicasec variant outbound connection"; flow:to_server,established; content:"P0wned by Q"; fast_pattern:only; http_client_body; content:"IP:"; nocase; http_client_body; content:"/interface/xmlrpc"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets; classtype:trojan-activity; sid:47025; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection"; flow:to_server,established; content:"/www/"; depth:5; fast_pattern; http_uri; content:"/00"; distance:0; http_uri; content:!"Accept|3A|"; http_header; pcre:"/\/www\/(%[A-F0-9]{2}){5,}\/00/I"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/be554e706f6b8ab8f4bbea209b669e9dca98bf647faa55c46756f322dadab32f/analysis/; classtype:trojan-activity; sid:47016; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ICLoader outbound connection"; flow:to_server,established; content:"|0A|User-Agent|3A 20|Christmas Mystery"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c3267535c9f16940b939f74298ec902db6ebe187461c015bc48b6bf13a9aa808/analysis/1529443552/; classtype:trojan-activity; sid:47051; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; file_data; content:"|C7 04 24 DA E1 61 FF C7 44 24 04 0C 27 95 87 C7 44 24 08 17 57 A4 D6 C7 44 24 0C EA E3 82 2B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210/analysis/; classtype:trojan-activity; sid:47090; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; file_data; content:"|C7 45 30 85 C0 7C 17 C7 45 34 8B 4D F4 8B C7 45 38 76 20 33 C0 C7 45 3C 3B C8 77 0B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8/analysis/; classtype:trojan-activity; sid:47089; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; file_data; content:"|C6 44 24 0C DA C6 44 24 0D E1 C6 44 24 0E 61 C6 44 24 0F FF C6 44 24 10 0C C6 44 24 11 27 C6 44|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/3c809a10106990ba93ec0ed3b63ec8558414c6680f6187066b1aacd4d8c58210/analysis/; classtype:trojan-activity; sid:47088; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; file_data; content:"|C6 44 24 14 75 C6 44 24 15 0E C6 44 24 1A C1 C6 44 24 1C 84 C6 44 24 1D D2 C6 44 24 1E 75 C6 44|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/d1d490866d4a4d29306f0d9300bffc1450c41bb8fd62371d29672bf9f747bf92/analysis/; classtype:trojan-activity; sid:47087; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TYPEFRAME malware download attempt"; flow:to_client,established; flowbits:isnotset,file.msi; flowbits:isnotset,file.packed; file_data; content:"|85 C6 44 24 16 7C C6 44 24 17 17 C6 44 24 19 4D C6 44 24 1A F4 C6 44 24 1C 76 C6 44 24 1D 20 C6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/8c3e0204f52200325ed36db9b12aba1c5e46984d415514538a5bf10783cacdf8/analysis/; classtype:trojan-activity; sid:47086; rev:1;)
alert tcp any any -> any any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant connection attempt"; flow:stateless; flags:S+; content:"|0C 15 22 2B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47084; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Powershell PRB backdoor initial outbound communication attempt"; flow:to_server,established; content:"Content-Length|3A| 199|0D 0A|"; fast_pattern:only; http_header; content:"=="; depth:2; offset:194; http_client_body; pcre:"/^[A-Za-z0-9+\/]{194}==\d{2}/P"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b/analysis/; classtype:trojan-activity; sid:47076; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Smokeloader outbound response"; flow:established,to_client; content:"Content-Length: 7|0D 0A|"; fast_pattern:only; http_header; content:"404"; http_stat_code; file_data; content:"|03 00 00 00|"; depth:4; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40/detection; classtype:trojan-activity; sid:47073; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/update_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47069; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/register.php?"; fast_pattern:only; http_uri; content:"p="; nocase; http_uri; content:"&code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47068; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/show_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47067; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.XAgent variant outbound connection"; flow:to_server,established; content:"&itwm="; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6; classtype:trojan-activity; sid:48140; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/cfg?cb="; fast_pattern:only; http_uri; content:"&guid="; http_uri; content:"&uid="; distance:0; http_uri; content:"&ua="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48120; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48119; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48118; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/ufiles/"; fast_pattern:only; http_uri; content:".dll"; http_uri; content:"UID: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48117; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/gl.php?uid="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&x="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48116; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/dl.itranslator.info/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48115; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"Accept:*/*"; http_header; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/analysis; classtype:trojan-activity; sid:48093; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/image_download.php?uid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/analysis; classtype:trojan-activity; sid:48092; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/6SrlScT/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/MUHagMS/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48090; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/1RurEqF/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48089; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/xIeDFfp/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48088; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/6pGAbF/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48087; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/ms27r/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48086; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/o2x7Bx/"; fast_pattern:only; http_uri; content:!"User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/B12749AD0E060AE0B715A83EBD1BFEA23E0B9F4968DAC80CC604FC229C55052F/analysis; classtype:trojan-activity; sid:48085; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/pidoras6"; fast_pattern:only; http_uri; content:"User-Agent: Opera/9.80 (Windows NT 6.0) Presto/2.12.388"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/A25F83694449EB297D91D5059954FA1EBE98BABDFAC2E98B76FD1F695AE44964/analysis; classtype:trojan-activity; sid:48084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"03488030fb57e825ca7f652571f12f15dbb069220773190978b85793c9ecfead"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/A25F83694449EB297D91D5059954FA1EBE98BABDFAC2E98B76FD1F695AE44964/analysis; classtype:trojan-activity; sid:48083; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent download attempt"; flow:to_server,established; content:"/nuwpqicunde.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/053ca5737cbd3df1936c9e945e90fa244fb4b8705da0659bbcfd6aa5bfa50cd9; classtype:trojan-activity; sid:48082; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound connection"; flow:to_server,established; content:"/download/Stp5.exe?aid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/536148b202ddf00bf76f28bea53399ac16764de8628c71209ea22f5aa31a9681; classtype:trojan-activity; sid:48081; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound connection"; flow:to_server,established; content:"/s2s_install.exe"; fast_pattern:only; http_uri; content:"tracking="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/536148b202ddf00bf76f28bea53399ac16764de8628c71209ea22f5aa31a9681; classtype:trojan-activity; sid:48080; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramnit variant outbound connection"; flow:to_server,established; content:"/update20180524/bundles.xml"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/536148b202ddf00bf76f28bea53399ac16764de8628c71209ea22f5aa31a9681; classtype:trojan-activity; sid:48079; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Libs.zip"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"browser/Vivaldi.txtPK"; fast_pattern:only; http_client_body; content:"/Upload/"; http_uri; urilen:8; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48035; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; urilen:200<>250; content:"/scripts/m/query.php?id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/2a61b4d0a7c5d7dc13f4f1dd5e0e3117036a86638dbafaec6ae96da507fb7624/analysis/; classtype:trojan-activity; sid:48028; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BabaYaga outbound connection"; flow:to_server,established; content:"/sserpdrow/ipconfig"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/; classtype:trojan-activity; sid:48027; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BabaYaga outbound connection"; flow:to_server,established; content:"/pw/versionORG"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/; classtype:trojan-activity; sid:48026; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC BabaYaga inbound connection"; flow:to_server,established; content:"wpsroot"; fast_pattern:only; nocase; http_uri; content:"User-Agent: "; nocase; http_header; content:"en.support.wordpress.com"; within:75; nocase; http_header; content:!"Host: en.support.wordpress.com"; nocase; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*en\x2esupport\x2ewordpress\x2ecom/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/; classtype:trojan-activity; sid:48025; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PyLocky outbound connection attempt"; flow:to_server,established; content:"/wp-system.php"; fast_pattern:only; http_uri; content:"PCNAME="; nocase; http_client_body; content:"IV="; nocase; http_client_body; content:"GC="; nocase; http_client_body; content:"PASSWORD="; nocase; http_client_body; content:"CPU="; nocase; http_client_body; content:"LANG="; nocase; http_client_body; content:"INSERT="; nocase; http_client_body; content:"UID="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c9c91b11059bd9ac3a0ad169deb513cef38b3d07213a5f916c3698bb4f407ffa/analysis/; classtype:trojan-activity; sid:48024; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Viro variant outbound connection"; flow:to_server,established; content:"/noauth/register"; fast_pattern:only; http_uri; content:"crypto_id="; depth:10; http_client_body; content:"&product_id="; within:50; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/911b25a4d99e65ff920ba0e2ef387653b45789ef4693ef36d95f14c9777a568b/analysis/; classtype:trojan-activity; sid:48022; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_server,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47936; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_client,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47935; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant outbound connection"; flow:to_server,established; content:"MS_D0wnl0ad3r"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47934; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/file/Documents/document_78219"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792; classtype:trojan-activity; sid:47906; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/transactions/id02082018.jpg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792; classtype:trojan-activity; sid:47905; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/Document00591674.doc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792; classtype:trojan-activity; sid:47904; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/documents/2018/fraud/fraud_16082018.doc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0367554ce285a3622eb5ca1991cfcb98b620d0609c07cf681d9546e2bf1761c4; classtype:attempted-user; sid:47903; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/invoice/id/305674567"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9c0ddfcfb8d1e64332fa7420f690e65a6c4ecbeef6395f4c7645da51098962cc; classtype:trojan-activity; sid:47902; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CobInt outbound connection"; flow:to_server,established; content:"/xaczkajeieypiarll"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792; classtype:trojan-activity; sid:47901; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /pser?"; fast_pattern:only; pcre:"/\x2fpser\x3f[A-F0-9]{3,84}(BBZ|BBY)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47900; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /khc?"; fast_pattern:only; pcre:"/\x2fkhc\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47899; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /tahw?"; fast_pattern:only; pcre:"/\x2ftahw\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/checkPanel.php"; fast_pattern:only; http_uri; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/"; fast_pattern; http_uri; content:".php"; distance:0; http_uri; content:"p="; http_client_body; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5416 (msg:"MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection"; flow:to_server,established; content:"GET /?q="; depth:8; content:":ICAi"; fast_pattern:only; pcre:"/\/\?q=[0-9]{15}\-[0-9]{1,2}:ICAi/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/a342a16082ea53d101f556b50532651cd3e3fdc7d9e0be3aa136680ad9c6a69f/analysis/; classtype:trojan-activity; sid:47860; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Java.Trojan.Adwind variant outbound connection"; flow:to_server,established; content:"|00 00 00 04 77 2A 00 28|"; depth:8; isdataat:39,relative; pcre:"/\x77\x2a\x00\x28[a-f0-9]{40}/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/file/0a2f74a7787ae904e5a22a3c2b3acf0316c10b95fae08cced7ca5e2fcc7d9bf8/analysis; classtype:trojan-activity; sid:47843; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownloadGuide variant outbound traffic"; flow:to_server,established; content:"/public-source/downloadguide/chip-eu/"; http_uri; content:".zip"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d4275116c2084c9d4e698c25c2774ab714e498c5737a0a0f6b929cc3f6a2fe47/; classtype:trojan-activity; sid:47837; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownloadGuide variant outbound traffic"; flow:to_server,established; content:"/config-from-production"; fast_pattern; http_uri; content:"{|22|os|22 3A 22|"; depth:7; http_client_body; content:"|22|lang|22 3A 22|"; distance:0; http_client_body; content:"|22|uid|22 3A 22|"; distance:0; http_client_body; content:"|22|prod|22 3A 22|"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d4275116c2084c9d4e698c25c2774ab714e498c5737a0a0f6b929cc3f6a2fe47/; classtype:trojan-activity; sid:47836; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DownloadGuide variant outbound traffic"; flow:to_server,established; content:"/1/dg/3"; fast_pattern; http_uri; content:"{|22|BuildId|22|:"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content:"|22|TrackBackUrl|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d4275116c2084c9d4e698c25c2774ab714e498c5737a0a0f6b929cc3f6a2fe47/; classtype:trojan-activity; sid:47835; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.njrat njRAT trojan variant download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|0F 84 B9 76 06 00 8D 84 24 10 2B 00 00 50 8D 84 24 0C 29 00 00 50 8D 84 24 F8 04 00 00 50 8D 84|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/f3f91f89b9a9387843c251e7fce65bb90d8463df6c3751a29a43ff8d71c9f66e/detection; classtype:trojan-activity; sid:47826; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.njrat njRAT trojan variant download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|0F 84 B9 76 06 00 8D 84 24 10 2B 00 00 50 8D 84 24 0C 29 00 00 50 8D 84 24 F8 04 00 00 50 8D 84|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f3f91f89b9a9387843c251e7fce65bb90d8463df6c3751a29a43ff8d71c9f66e/detection; classtype:trojan-activity; sid:47825; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.njrat njRAT trojan variant download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"matemdeea"; fast_pattern:only; content:"Copyright |C2 A9|  2018"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/1399b9bf2a5625725037e7e0a560e0b6c0c891662bd4c353801bd74067570cb5/detection; reference:url,www.virustotal.com/#/file/68648f0a3501a59d3bdbbf9d178be48758c92d5441f635f6bc30c47a932abea8/detection; reference:url,www.virustotal.com/#/file/e10697181dd1634c4883137252df8051a211d0a6cd7ab30fbb1ef7a4cdef1e0d/detection; classtype:trojan-activity; sid:47824; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.njrat njRAT trojan variant download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"matemdeea"; fast_pattern:only; content:"Copyright |C2 A9|  2018"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1399b9bf2a5625725037e7e0a560e0b6c0c891662bd4c353801bd74067570cb5/detection; reference:url,www.virustotal.com/#/file/68648f0a3501a59d3bdbbf9d178be48758c92d5441f635f6bc30c47a932abea8/detection; reference:url,www.virustotal.com/#/file/e10697181dd1634c4883137252df8051a211d0a6cd7ab30fbb1ef7a4cdef1e0d/detection; classtype:trojan-activity; sid:47823; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1700 (msg:"MALWARE-CNC Win.Trojan.njrat njRAT trojan outbound attempt"; flow:to_server; content:"1234No1234N/A1234"; fast_pattern:only; content:"==1234"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,zscaler.com/blogs/research/njrat-pushes-lime-ransomware-and-crypto-wallet-grabbers; classtype:trojan-activity; sid:47822; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32.Backdoor.Turla variant outbound connection"; flow:to_server, established; content:"default.asp"; nocase; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0)"; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0d1fe4ab3b074b5ef47aca88c5d1b8262a1293d51111d59c4e563980a873c5a6/detection; classtype:trojan-activity; sid:47773; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.GandCrab outbound connection"; flow:to_server,established; content:"wfKD6iudumBkmpL8IRr"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/8163602357b51402b8e34b385b0228ac4a603e19c6c8006e1c7a7a8099450742/; classtype:trojan-activity; sid:47766; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.MysteryBot outbound connection"; flow:to_server,established; content:"/site/gate.php?i=eyAiYWN0aW9uIjog"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae/analysis/; classtype:trojan-activity; sid:47723; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fallchill variant outbound connection"; flow:to_server,established; content:"boundary=jeus"; fast_pattern:only; http_header; content:"--jeus"; http_client_body; content:"filename="; http_client_body; content:".gif"; within:30; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d404c0a634cef0d32029286fde8efccb6dfe1809066bbec7ac32d42c5ce3bc04/detection; classtype:trojan-activity; sid:47708; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"POST /Vre "; fast_pattern:only; content:"User-Agent: "; content:!"|0D 0A|"; within:75; content:"|5C|Microsoft Windows"; within:75; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3898085d7f99b9cc1b5f915ce6c9eca14b17a7e6d8fdc6c6b77b6f89782c59b6/analysis; classtype:trojan-activity; sid:47701; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload"; flow:to_server,established; content:"User-Agent|3A| come-tome|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/9f2e3a5a5617562a8b5a4e9521d197cc0cb2095651ead86ccaeb6f5f0c35c0f4/analysis/; classtype:trojan-activity; sid:47697; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload"; flow:to_server,established; content:"User-Agent|3A| noobBoy|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6ed8c5a1db8d80e9100268f20e75e507efbab2fe8ad83adb998af83dfe2a3137/analysis/; classtype:trojan-activity; sid:47696; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Downloader.Powload"; flow:to_server,established; content:"User-Agent|3A| newUser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/aac8f537eb495d94d5ff7bfe1d40b9fbad041d87986c1dacf9682b685e366f59/analysis/; classtype:trojan-activity; sid:47695; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Shrug2 outbound connection"; flow:to_server,established; content:"/marthas_stuff/"; fast_pattern:only; http_uri; content:"partA="; depth:6; http_client_body; content:"partB="; within:100; http_client_body; content:"partC="; within:100; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/c89833833885bafdcfa1c6ee84d7dbcf2389b85d7282a6d5747da22138bd5c59; classtype:trojan-activity; sid:47692; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Torpplar variant outbound connection"; flow:to_server,established; content:"/ie/ie.asp"; fast_pattern:only; http_uri; content:"%0D%0A|BB FA C6 F7 C2 EB|%3A"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/7d633c7889091c70a203fb5c6fbf814544538a20ef6fb6e2990134eb1e37fa06/detection; classtype:trojan-activity; sid:47678; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound beacon detected"; flow:to_server,established; content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5/analysis/; classtype:trojan-activity; sid:47650; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt"; flow:to_client,established; file_data; content:"|7B 22|line1|22 3A 22|"; depth:10; fast_pattern; content:"|22|line2|22 3A 22|"; within:30; distance:30; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/901d893f665c6f9741aa940e5f275952/detection; classtype:trojan-activity; sid:47627; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 6901 (msg:"MALWARE-CNC Win.Ransomware.Princess variant outbound connection attempt"; flow:to_server; content:"data="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/b4f05277bafc06af87fccb02a444e5a22b3760f98c05bf0f6cf5344da7faa543/analysis/; classtype:trojan-activity; sid:47621; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Trickbot variant outbound connection"; flow:to_server,established; content:"/5/spk/ HTTP/1.1|0D 0A|"; fast_pattern:only; content:"/5/spk/"; http_uri; content:!"Accept: "; http_header; content:!"Referer: "; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/en/file/eec7784f51c9e7de1220e7cf57a6d372d5744e7e7c66ca2033286ec4241c5e92/analysis/; classtype:trojan-activity; sid:47618; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet variant download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"QueryUsersOnEncryptedFile|00|"; fast_pattern:only; content:"msi.dll|00|"; content:"|A4 10 02 00|"; content:"|1C 10 02 00|"; within:6; distance:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/10810ac39fa23e7e64330b95724cd649040729705b9fbeba03064fb81ab6346a/detection; classtype:trojan-activity; sid:47617; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet variant download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Who is!!!??|00|"; fast_pattern:only; content:"|00|x|00|A|00|C|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/10810ac39fa23e7e64330b95724cd649040729705b9fbeba03064fb81ab6346a/detection; classtype:trojan-activity; sid:47616; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AzoRult variant  outbound connection detected"; flow:to_server,established; content:"/~ygnwgnrp/gate.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d89168411b7d7bfa9fb402978c553d88ff50bcbbbb10c06a15cbbe6b48ab852f/detection; classtype:trojan-activity; sid:47602; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betabot variant outbound connection detected"; flow:to_server,established; content:"/panel/order.php"; depth:16; nocase; http_uri; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/dbd77affbcef98e8814411a7fb713254f06c21fe5fe7697e75824c60a7ebcbcd/detection; classtype:trojan-activity; sid:47601; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Waldek variant initial outbound connection detected"; flow:to_server,established; content:"/tv/getinfo.php"; fast_pattern:only; http_uri; content:"HTTP/1.0"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47600; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Fake PDFEscape font pack cryptominer"; flow:to_server,established; flowbits:isset,file.msi; file_data; content:"PDFescapeDesktopInstaller.exe"; content:"|5C|system32|5C|xbox-service.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:47594; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Fake PDFEscape font pack cryptominer"; flow:to_client,established; flowbits:isset,file.msi; file_data; content:"PDFescapeDesktopInstaller.exe"; content:"|5C|system32|5C|xbox-service.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:47593; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; content:"|2A 00 00 00|"; depth:4; isdataat:37,relative; isdataat:!38,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/108bbc4ff7b7da4f0de1225094964d03b19fc38b93933f739c475f08ae17915e/detection; classtype:trojan-activity; sid:47567; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /index.php?id="; depth:18; content:"HTTP/1.1|0D 0A|"; within:10; distance:11; nocase; content:"Cookie:"; isdataat:50,relative; content:!"="; within:50; content:!"|3B|"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47557; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /logo.png HTTP/1.1|0D 0A|"; depth:24; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0)|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47556; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Keywsec variant outbound request for malicious dll exe and js detected"; flow:to_server,established; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; content:"/downloads/kwc/"; http_uri; pcre:"/\/downloads\/kwc\/\w+\.(dll|exe|js)$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9c655017f4f0609868df5614a8361bb54d12ecfeafbaf8edf2f6c158f55bdbf5/detection; classtype:trojan-activity; sid:47548; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Keywsec variant post-compromise outbound request detected"; flow:to_server,established; content:"/jobs/updated-versions/set/values/"; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9c655017f4f0609868df5614a8361bb54d12ecfeafbaf8edf2f6c158f55bdbf5/detection; classtype:trojan-activity; sid:47547; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Keywsec variant outbound request detected"; flow:to_server,established; content:"/jobs/fetch-versions/?v="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9c655017f4f0609868df5614a8361bb54d12ecfeafbaf8edf2f6c158f55bdbf5/detection; classtype:trojan-activity; sid:47546; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"MALWARE-CNC Win.Trojan.Grobios C2 inbound server command"; flow:to_client,established; file_data; content:"|0A|WAIT "; content:"|0A|CONNECT "; content:"|0A|CERT "; fast_pattern:only; pcre:"/CERT\s[a-zA-Z\+\/\x3d0-9]{1,200}/"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/8b86662ab617d11079f16d95d4d584e8acb4a374b87edf341195ab9e043ed1d2/; classtype:trojan-activity; sid:47526; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Grobios outbound connection"; flow:to_server,established; content:"/ajax?"; http_uri; content:!"Content-Length|3A|"; http_header; content:!"Content-Type|3A|"; http_header; content:!"Connection|3A|"; http_header; pcre:"/\/ajax\?[a-zA-Z]{20}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/8b86662ab617d11079f16d95d4d584e8acb4a374b87edf341195ab9e043ed1d2/; classtype:trojan-activity; sid:47525; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected"; flow:to_server, established; content:"statuses/update.xml?status="; http_uri; content:"|20|En|20 20 7C 20|IP1|3A 20|"; within:27; fast_pattern; http_uri; content:"|20 7C 20|IP2|3A 20|"; within:24; http_uri; content:"|20 7C 20|IP3|3A 20|"; within:24; http_uri; content:"|20 7C 20|IP4|3A 20|"; within:24; http_uri; content:"|20 7C 20|IP|20|Externa|3A 20|"; within:31; http_uri; content:"|20 7C 20|Version|3A 20|"; within:28; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,"https://www.virustotal.com/intelligence/search/?query=b56733286ca66bb63de91b260ed75a5250c14f68b1e65c696e3192a344953ee5"; classtype:trojan-activity; sid:47511; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery"; flow:established,to_client; content:"</HTML>|0A|<!--|0A|DEBUG:|0A|"; content:"<TITLE>404 Not Found</TITLE>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/Marten4n6/EvilOSX; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels-wp.pdf; classtype:trojan-activity; sid:47505; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2fdoc\x2f\d{1}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47452; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/images/file/vb/VBS/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2fimages\x2ffile\x2fvb\x2fVBS\x2fdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47451; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/work/newdoc/"; fast_pattern:only; http_uri; pcre:"/^\x2fwork\x2fnewdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/work/docnew/"; fast_pattern:only; http_uri; pcre:"/^\x2fwork\x2fdocnew\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/work/dola/"; fast_pattern:only; http_uri; pcre:"/^\x2fwork\x2fdola\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47448; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/work/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2fwork\x2fdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47447; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/img/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2fimg\x2fdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47446; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/info/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2finfo\x2fdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47445; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gorgon outbound connection"; flow:to_server,established; content:"/daq/doc/"; fast_pattern:only; http_uri; pcre:"/^\x2fdaq\x2fdoc\x2f\d{1,2}\x2edoc$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25; classtype:trojan-activity; sid:47444; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.IcedID outbound connection"; flow:to_server,established; content:"/data100.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d0a248655d40c1312058ecc096a32cab86e77737908f14477e2152015a503fa1/; classtype:trojan-activity; sid:47436; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.IcedID payload download"; flow:to_server,established; content:"/crypt_2_100_1.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/d0a248655d40c1312058ecc096a32cab86e77737908f14477e2152015a503fa1/analysis/; classtype:trojan-activity; sid:47435; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Coinminer.HiddenShock variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 10.0|3B| Win64|3B| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"; fast_pattern:only; http_header; content:"/bins/"; http_uri; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,virustotal.com/#/file/6c2c2b7a099f5bd47d059add802902797b12a8cb188473f4c64e4eccab617b49; classtype:trojan-activity; sid:47434; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Mapoyun variant outbound connection attempt"; flow:to_server,established; content:"Connection:Close|3B|"; fast_pattern:only; http_header; content:"X-CA-"; nocase; http_header; content:!"User-Agent|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/34cbcbbbc4b538f30bc3d57dd587f1b604d29f113c149bf1ab53898464ad9c80/analysis/; classtype:trojan-activity; sid:47427; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuping variant outbound connection"; flow:to_server,established; content:"/tongji.php?"; fast_pattern:only; http_uri; content:"userid="; http_uri; content:"mac="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3259350affe1ff0f60a1eabad8bb048228fa632cf50193da13b61e46dd40b5ad/analysis/; classtype:trojan-activity; sid:47420; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/listenyee.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47415; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47414; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt"; flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15 40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47377; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection"; flow:to_server,established; content:"/security-updates/firefox/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/57c76f2b9f039078da853a5ccb76f4690c196a2e3c1745a3e8c5fb3c3db26d3d/; classtype:trojan-activity; sid:47376; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection"; flow:to_server,established; content:"/security-updates/scanner/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/57c76f2b9f039078da853a5ccb76f4690c196a2e3c1745a3e8c5fb3c3db26d3d/; classtype:trojan-activity; sid:47375; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection"; flow:to_server,established; content:"/security-updates/chrome/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/57c76f2b9f039078da853a5ccb76f4690c196a2e3c1745a3e8c5fb3c3db26d3d/; classtype:trojan-activity; sid:47374; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Coinminer.PyroMineIoT outbound connection"; flow:to_server,established; content:"/server/agent.vbs"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/57c76f2b9f039078da853a5ccb76f4690c196a2e3c1745a3e8c5fb3c3db26d3d/; classtype:trojan-activity; sid:47373; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; flow:to_server,established; urilen:15; content:"/file/index.php"; nocase; http_uri; content:!"User-Agent:"; nocase; http_header; content:"|99 4C 42 9D 4F 51 C3 0C|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/89b33f90b0147f63b38e7bd498b16106ee7ab8d9b1f47910c62cf77055a7c5cf/detection; classtype:trojan-activity; sid:47339; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:47338; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Luoxk malicious payload download attempt"; flow:to_server,established; content:"/JexRemoteTools.jar"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/; classtype:trojan-activity; sid:47327; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website"; flow:to_client,established; file_data; content:"google-analytisc.com/ga.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47325; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer compromised website"; flow:to_client,established; file_data; content:"|2B 22|?image_id=|22 2B|btoa"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47324; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection"; flow:to_server,established; content:"/ga.php?analytic="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47323; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection"; flow:to_server,established; content:"/captchaProtectionMonitor/captcha.php?image_id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47322; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer outbound connection"; flow:to_server,established; content:"/gate.php?image_id="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:47321; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection"; flow:established,to_server; content:".php?"; http_uri; content:"=WyJ1cmw"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:47320; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|8B 61 83 32 80 96 A0 F7 50 CD D9|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/8710e87642371c828453d59c8cc4edfe8906a5e8fdfbf2191137bf1bf22ecf81/analysis/; classtype:trojan-activity; sid:47305; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|5E 0D 10 DB 92 BF 73 6C 7D 6F 5D|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/9633246f366d63cbc70eb14b3c50d58de41ffce75ba7685d82c185ecfdda5686/analysis/; classtype:trojan-activity; sid:47304; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|EB E7 A2 EC 6E 3E CC A8 34 B5 91|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/84fd7f835de57d55ee857e7574664119ec4e8b51cf7a32c343e25d80a24fa68c/analysis/; classtype:trojan-activity; sid:47303; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|57 40 CB 6D E6 5F 6D 51 4E E7 62|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/c99218e6a9577e3012522c7eac9f18197f517815f2c1ea63950c5ac205643055/analysis/; classtype:trojan-activity; sid:47302; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|24 8A 91 18 92 BB 4B 55 39 BC ED|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/88d606ce0dd8e695a0cd4221475ce904e9c460f801a4aaf696df92cdf3357c8e/analysis/; classtype:trojan-activity; sid:47301; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Remcos variant inbound payload download"; flow:to_server,established; content:"/brats/remmy.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/fc0fa7c20adf0eaf0538cec14e37d52398a08d91ec105f33ea53919e7c70bb5a/analysis/; classtype:trojan-activity; sid:47300; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Remcos variant outbound connection"; flow:to_server,established; content:"|1B 84 D5 B0 5D F4 C4 93|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/1cc8f8b1487893b2b0ff118faa2333e1826ae1495b626e206ef108460d4f0fe7/analysis/; classtype:trojan-activity; sid:47299; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ICLoader outbound connection"; flow:to_server,established; content:"|0A|User-Agent|3A 20|File Downloader"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c3267535c9f16940b939f74298ec902db6ebe187461c015bc48b6bf13a9aa808/analysis/1529443552/; classtype:trojan-activity; sid:47265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ICLoader outbound connection"; flow:to_server,established; content:"|0A|User-Agent|3A 20|Medunja Solodunnja"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/c3267535c9f16940b939f74298ec902db6ebe187461c015bc48b6bf13a9aa808/analysis/1529443552/; classtype:trojan-activity; sid:47264; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,8001] (msg:"MALWARE-CNC Win.Malware.Ramnit outbound REGISTER_BOT beacon"; flow:to_server,established; content:"|E2 00 20 00 00 00|"; content:"|00 20 00 00 00|"; within:5; distance:32; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/014d3906781472663461a9527eace4bbb69c4914964b050e119857b2f72a3799/detection; classtype:trojan-activity; sid:47244; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Mylobot inbound connection"; flow:to_client,established; content:"|08 B6 AA AA AE E4 F1 F1|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/9f930b106c1d1ddcb832a86e14c0474d3d2e6c22b0d3408fccfa8347d7f4e7c4/analysis/; classtype:trojan-activity; sid:47243; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mylobot additional payload download"; flow:to_server,established; content:"/usext.gif"; fast_pattern:only; urilen:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9f930b106c1d1ddcb832a86e14c0474d3d2e6c22b0d3408fccfa8347d7f4e7c4/analysis/; classtype:trojan-activity; sid:47242; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mylobot additional payload download"; flow:to_server,established; content:"/usme.gif"; fast_pattern:only; urilen:9; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/9f930b106c1d1ddcb832a86e14c0474d3d2e6c22b0d3408fccfa8347d7f4e7c4/analysis/; classtype:trojan-activity; sid:47241; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Prowli variant outbound connection"; flow:to_server,established; content:"vchideactivationmsg_vc11"; fast_pattern:only; content:"botn="; http_client_body; content:"sploit="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/128582a05985d80af0c0370df565aec52627ab70dad3672702ffe9bd872f65d8/analysis/; classtype:trojan-activity; sid:47236; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bankshot variant outbound connection"; flow:to_server,established; content:"CONNECT"; http_method; content:"Proxy-Connection: keep-alive"; http_header; content:"HOST:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6/detection; classtype:trojan-activity; sid:47235; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound connection"; flow:to_server,established; content:"|50 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; isdataat:79,relative; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47178; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound communication"; flow:to_server,established; content:"|B0 00 B0 00 B0 00 B0 00 26 00 26 00 26 00|"; depth:15; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47177; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif malicious file download"; flow:to_server,established; content:".yarn HTTP"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d64426736e4f588634b112829a2e347123b64ea0aa3aac0a54d2e04212f80c67/detection; classtype:trojan-activity; sid:47148; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif malicious file download"; flow:to_server,established; content:"/testv.php?"; fast_pattern:only; http_uri; content:".yarn"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d64426736e4f588634b112829a2e347123b64ea0aa3aac0a54d2e04212f80c67/detection; classtype:trojan-activity; sid:47147; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JS.Trojan.Generic variant outbound connection"; flow:to_server,established; content:"/01/rr.php"; fast_pattern:only; http_uri; content:"xxyz=r3.log"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48157; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JS.Trojan.Generic variant outbound connection"; flow:to_server,established; content:"/01/sys119"; fast_pattern:only; http_uri; content:"WinHttp.WinHttpRequest"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48156; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JS.Trojan.Generic variant outbound connection"; flow:to_server,established; content:"/excx/"; fast_pattern:only; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/7ada3eefcf526f129be77f4252be0292b3f55dd045368647240ae6e67b923330/analysis/; reference:url,www.virustotal.com/en/file/b117753cc5ae366b2d190b40affd5a05e83fc11f184ebfd4b4b5425a06e77880/analysis/; reference:url,www.virustotal.com/en/file/b84610fb545e27b0bdf9b93cb8e8666a8303118aa90f93866a6ea20b9ffc51b2/analysis/; classtype:trojan-activity; sid:48155; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JS.Trojan.Generic variant outbound connection"; flow:to_server,established; content:"/01/inixv119"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48154; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC JS.Trojan.Generic variant outbound connection"; flow:to_server,established; content:"/01/Carontex"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48153; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC JS.Trojan.Generic malicious file download"; flow:to_server,established; file_data; content:"<?xml"; depth:50; content:"Mjsyeikeiwr"; within:200; content:"xVRXastaroth"; fast_pattern:only; content:"radador"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48152; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC JS.Trojan.Generic malicious file download"; flow:to_client,established; file_data; content:"<?xml"; depth:50; content:"Mjsyeikeiwr"; within:200; content:"xVRXastaroth"; fast_pattern:only; content:"radador"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d946c3033a41416b41b38f7a321408d09d975106e2d5412167950d42cda66f9/analysis/; classtype:trojan-activity; sid:48151; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Redhip variant outbound connection"; flow:to_server,established; content:"/main/ads.php"; nocase; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/980b388c915e3fcdf5bd7f48a3c1f8faf69387185094951797b758db8089321e/analysis/; classtype:trojan-activity; sid:48150; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Redhip variant outbound connection"; flow:to_server,established; content:"/main/"; nocase; http_uri; content:".txt"; distance:1; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/980b388c915e3fcdf5bd7f48a3c1f8faf69387185094951797b758db8089321e/analysis/; classtype:trojan-activity; sid:48149; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Redhip variant outbound connection"; flow:to_server,established; content:"GET /sqlite3.dll"; nocase; content:"Host: www.server.com"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/15f8396754898348d0df09c85a304e2359c9102e87e7fed270e10b3814a82a7d/analysis/; classtype:trojan-activity; sid:48148; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Redhip variant outbound connection"; flow:to_server,established; content:"GET /XXXX.dll"; fast_pattern; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/15f8396754898348d0df09c85a304e2359c9102e87e7fed270e10b3814a82a7d/analysis/; classtype:trojan-activity; sid:48147; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5555 (msg:"MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection"; flow:to_server,established; content:"/sms/"; depth:20; metadata:impact_flag red, policy max-detect-ips drop; reference:url,virustotal.com/en/file/81d4f6796509a998122817aaa34e1c8c6de738e1fff5146009c07be8493f162c/analysis/; classtype:trojan-activity; sid:48203; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6565 (msg:"MALWARE-CNC Andr.Trojan.Xamaria variant outbound connection"; flow:to_server,established; content:"/index_main.html"; depth:20; metadata:impact_flag red, policy max-detect-ips drop; reference:url,virustotal.com/en/file/81d4f6796509a998122817aaa34e1c8c6de738e1fff5146009c07be8493f162c/analysis/; classtype:trojan-activity; sid:48202; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Emdivi variant outbound request detected"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| SV1|3B|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html; classtype:trojan-activity; sid:48199; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Datper variant outbound request detected"; flow:to_server,established; content:"/cx/index.php"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html; classtype:trojan-activity; sid:48198; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Datper variant outbound request detected"; flow:to_server,established; content:"/minaosi/siryou.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2018/10/tracking-tick-through-recent-campaigns.html; classtype:trojan-activity; sid:48197; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"MALWARE-CNC Unix.Worm.Hakai outbound connection"; flow:to_server,established; content:"[HAKAI] Connected [ ARCH:"; fast_pattern:only; content:" [ HOST:"; content:"]|1B|["; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/60c186f29ce8f55608aea2681c725cb1b7a1441a6b6ab59186e323c6d7996f5a/analysis/; classtype:trojan-activity; sid:48192; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Linux.Malware.Torii variant malicious file download"; flow:to_client; flowbits:isset,file.elf; file_data; content:"|AA 98 DD 9A BB C4 DD 90 BA 98 D9 89 BF 88 D9 90 BA 98 D3 8A B6 C4 DF 91 B3 EA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/cf3bfd3f5401c2cf45b70c61dde33cc758839644249183958235f6471fa36702/; classtype:trojan-activity; sid:48191; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt"; flow:to_server,established; file_data; content:"|4C 30 F6 0B 66 08 0E 02 E2 08 A8 A8 C4 32 10 C9 C6 E0 CE 92 C0 04 B3 27 8F 05 44 3A C8 83 5C 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c/detection; classtype:trojan-activity; sid:48176; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GhostPuppet malicious document download attempt"; flow:to_client,established; file_data; content:"|4C 30 F6 0B 66 08 0E 02 E2 08 A8 A8 C4 32 10 C9 C6 E0 CE 92 C0 04 B3 27 8F 05 44 3A C8 83 5C 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/9c3221dfc49b159f032eda70e8cb207c60e73ea5f51f9ddc90629292deacf90c/detection; classtype:trojan-activity; sid:48175; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Octopus outbound connection attempt"; flow:to_server,established; content:"/i.php?check=565774578511d3f52f4ece818d08d84f"; fast_pattern:only; http_uri; content:"Accept-Encoding:"; http_header; content:"identity"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2d5f3edc4132f463cb6efe6379fda46e00fb7225f51a9fb69d2b11161c43faa6/analysis/; classtype:trojan-activity; sid:48260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Octopus outbound connection attempt"; flow:to_server,established; content:"/d.php?servers"; fast_pattern:only; http_uri; content:"Accept-Encoding:"; http_header; content:"identity"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2d5f3edc4132f463cb6efe6379fda46e00fb7225f51a9fb69d2b11161c43faa6/analysis/; classtype:trojan-activity; sid:48259; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Octopus outbound connection attempt"; flow:to_server,established; content:"/d.php?check"; fast_pattern:only; http_uri; content:"Accept-Encoding:"; http_header; content:"identity"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2d5f3edc4132f463cb6efe6379fda46e00fb7225f51a9fb69d2b11161c43faa6/analysis/; classtype:trojan-activity; sid:48258; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound request detected"; flow:to_server,established; content:"/plugin.wbk"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html; classtype:trojan-activity; sid:48288; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound request detected"; flow:to_server,established; content:"/xyz.123"; depth:8; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html; classtype:trojan-activity; sid:48287; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8852 (msg:"MALWARE-CNC Unix.Trojan.Chalubo outbound connection"; flow:to_server,established; content:"/powerpc "; depth:50; pcre:"/GET\s+\x2f\w{1,8}\x2fpowerpc\x20/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4cd5d3013bcbd1b63a532b34b40267950dd182f3c8ae8930e64d680db8990018/analysis/; classtype:trojan-activity; sid:48286; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8852 (msg:"MALWARE-CNC Unix.Trojan.Chalubo outbound connection"; flow:to_server,established; content:"/x86_64 "; depth:50; pcre:"/GET\s+\x2f\w{1,8}\x2fx86_64\x20/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4cd5d3013bcbd1b63a532b34b40267950dd182f3c8ae8930e64d680db8990018/analysis/; classtype:trojan-activity; sid:48285; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8852 (msg:"MALWARE-CNC Unix.Trojan.Chalubo outbound connection"; flow:to_server,established; content:"/mips"; depth:50; pcre:"/GET\s+\x2f\w{1,8}\x2fmips(\x20|64\x20|el\x20)/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4cab17dbf7e6907bc88a047f6f30ba7e8ed9caa59976dd163b950a512e53f164/analysis/; classtype:trojan-activity; sid:48284; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8852 (msg:"MALWARE-CNC Unix.Trojan.Chalubo outbound connection"; flow:to_server,established; content:"/i486 "; depth:50; pcre:"/GET\s+\x2f\w{1,8}\x2fi486\x20/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3c6e73617240ac030497ddeed2af22c7a6748a3c94f65f23dd2306c2baf0b361/analysis/; classtype:trojan-activity; sid:48283; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8852 (msg:"MALWARE-CNC Unix.Trojan.Chalubo outbound connection"; flow:to_server,established; content:"/arm "; depth:50; pcre:"/GET\s+\x2f\w{1,8}\x2farm\x20/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/adeee7742aff95dd04ec4458e4beb2c426b70c73f3dc84439fb13a32cee6c68f/analysis/; classtype:trojan-activity; sid:48282; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8694 (msg:"MALWARE-CNC Unix.Trojan.Chalubo downloader connection"; flow:to_server,established; content:"/libsdes "; depth:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fbbf97d1d6024259aa61c71c0719209e5cd2c52f210f63fe5f9310ec3540a130/analysis/; classtype:trojan-activity; sid:48281; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt"; flow:to_server,established; file_data; content:"objh260{|5C|*|5C|objdata 21|5C 27|29|5C 27|8725|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/9d5463c288706fbb2e6646d6a12f80cbe4cf39b82184c51a5d65aba3150c8d68/detection; classtype:trojan-activity; sid:48280; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Rtf.Trojan.Felixroot variant download attempt"; flow:to_client,established; file_data; content:"objh260{|5C|*|5C|objdata 21|5C 27|29|5C 27|8725|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/9d5463c288706fbb2e6646d6a12f80cbe4cf39b82184c51a5d65aba3150c8d68/detection; classtype:trojan-activity; sid:48279; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Felixroot variant download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Load"; content:"|C7|"; within:2; content:"Libr"; within:5; distance:1; content:"|C7|"; within:2; content:"aryA"; within:5; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d/detection; reference:url,www.virustotal.com/#/file/c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15/detection; classtype:trojan-activity; sid:48278; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Felixroot variant download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Load"; content:"|C7|"; within:2; content:"Libr"; within:5; distance:1; content:"|C7|"; within:2; content:"aryA"; within:5; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d/detection; reference:url,www.virustotal.com/#/file/c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15/detection; classtype:trojan-activity; sid:48277; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Felixroot variant command-and-control communication attempt"; flow:to_server,established; content:"/news/"; fast_pattern:only; http_uri; content:"Trident/"; http_header; content:"u="; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d/detection; reference:url,www.virustotal.com/#/file/c2d06ad0211c24f36978fe34d25b0018ffc0f22b0c74fd1f915c608bf2cfad15/detection; classtype:trojan-activity; sid:48276; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [22,23] (msg:"MALWARE-CNC Unix.Trojan.Gafgyt variant new bot registered"; flow:to_server,established; content:"[Shelling]-->["; fast_pattern:only; content:"]-->[2"; content:"]-->["; distance:1; content:"]-->["; distance:11; content:"]-->["; distance:3; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:url,virustotal.com/#/file/c983c7380b13216ec7f66d8214e58770a2541990f57a028af43c84da98f478e3/detection; classtype:trojan-activity; sid:48275; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_client; file_data; content:"pgs99.online"; content:"painelhost.uol.com.br"; fast_pattern:only; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/91781126feeae4d1a783f3103dd5ed0f8fc4f2f8e6f51125d1bfc06683b01c39; classtype:trojan-activity; sid:48356; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banking download attempt initiated"; flow:to_server; content:"/maquinas/PC078BFBFF00000F61-OFF.txt"; fast_pattern:only; http_uri; content:!"User-Agent:"; nocase; http_header; content:!"Referer:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2a1af665f4692b8ce5330e7b0271cfd3514b468a92d60d032095aebebc9b34c5; classtype:trojan-activity; sid:48355; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt"; flow:to_server,established; file_data; content:"|BC 1D 47 5B 75 C6 FB A8 C7 8C C7 38 D3 7A 77 BC 75 D4 F1 1C AB A3 8E A3 8E 3A 3A 8E B7 FE 76 DF|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/f50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321/detection; classtype:trojan-activity; sid:48308; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Doc.GrayEnergy malicious document download attempt"; flow:to_client,established; file_data; content:"|BC 1D 47 5B 75 C6 FB A8 C7 8C C7 38 D3 7A 77 BC 75 D4 F1 1C AB A3 8E A3 8E 3A 3A 8E B7 FE 76 DF|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/f50ee030224bf617ba71d88422c25d7e489571bc1aba9e65dc122a45122c9321/detection; classtype:trojan-activity; sid:48307; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Telebot variant outbound connection"; flow:to_server,established; content:"/Microsoft/Outlook/initialization"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb/analysis; classtype:trojan-activity; sid:48302; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Telebot variant outbound connection"; flow:to_server,established; content:"/Microsoft/updates/kbupdate"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"&kb="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb/analysis; classtype:trojan-activity; sid:48301; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Telebot variant outbound connection"; flow:to_server,established; content:"/Microsoft/Office/validation?m="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1b2a5922b58c8060844b43e14dfa5b0c8b119f281f54a46f0f1c34accde71ddb/analysis; classtype:trojan-activity; sid:48300; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Telebot variant outbound connection"; flow:to_server,established; content:"/last.ver?rnd="; fast_pattern:only; http_uri; content:"Cookie: EDRPOU="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f9d6fe8bd8aca6528dec7eaa9f1aafbecde15fd61668182f2ba8a7fc2b9a6740/analysis; classtype:trojan-activity; sid:48299; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A|Cookie: "; depth:24; content:"="; within:6; pcre:"/Cookie: \d{1,5}=[a-zA-Z0-9\x2b\x2f]+=*\r\nUser-Agent:/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1041/; reference:url,www.virustotal.com/en/file/f78b1778da8108d3a9d3ca5d8194fb607d9fe84da4aabbfec0c27f5d261cd646/analysis/; classtype:trojan-activity; sid:48402; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"support@ikeashop.fi"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/#/file/074a5836c5973bb53ab02c2bad66a4743b65c20fd6bf602cfaf09219f32d2426; classtype:trojan-activity; sid:48397; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection"; flow:to_server,established; content:"Mozilla v5.1 (Windows NT 6.1|3B| rv:6.0.1) Gecko/20100101 Firefox/6.0.1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/86bb3b00bcd4878b081e4e4f126bba321b81a17e544d54377a0f590f95209e46; classtype:trojan-activity; sid:48396; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection"; flow:to_server,established; content:"/documents/Note_template.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/c91843a69dcf3fdad0dac1b2f0139d1bb072787a1cfcf7b6e34a96bc3c081d65; classtype:trojan-activity; sid:48395; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.Bondupdater outbound cnc connection"; flow:to_server; content:"|0C|withyourface|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/#/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00; classtype:trojan-activity; sid:48422; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection"; flow:to_server,established; content:"/plise.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/b85027de6871e2ed1a2154edb645fd016807989b44107fc2804eb6e9acce3b9d; classtype:trojan-activity; sid:48436; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OlympicDestroyer variant outbound connection"; flow:to_server,established; content:"/check/index"; depth:12; http_uri; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a6678a676d6a55833aa63233b3bae53fd7825c3c8afc4d015a2ca8296baee31a; classtype:trojan-activity; sid:48435; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection"; flow:to_server,established; content:"/catalog/products/books.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d18d909ee3eb65dfd49925853553c87f7fd8a40e7cebb0f342e43e0c1fbab7d7; classtype:trojan-activity; sid:48432; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound connection"; flow:to_server,established; content:"/local/s3/filters.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/6AD3EB8B5622145A70BEC67B3D14868A1C13864864AFD651FE70689C95B1399A; classtype:trojan-activity; sid:48431; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cannon outbound connection"; flow:to_server,established; content:"/live/owa/office.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f; classtype:trojan-activity; sid:48430; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cannon outbound connection"; flow:to_server,established; content:"/version/in/documents.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f; classtype:trojan-activity; sid:48429; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.12percent ransomware generator download"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"icacls |22|**|22| /grant administrators"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:48438; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.12percent ransomware generator download"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"icacls |22|**|22| /grant administrators"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:48437; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.DNSpionage variant outbound connection"; flow:to_server,established; content:"/Client/Upload"; http_uri; content:"form-data|3B 20|name=|22|txts|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/; classtype:trojan-activity; sid:48445; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.DNSpionage variant outbound connection"; flow:to_server,established; urilen:19; content:"/Client/Login?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/; classtype:trojan-activity; sid:48444; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Exaramel outbound cnc connection"; flow:to_server,established; content:"/eset/18.04.12"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2f12fd3fb35f8690eea80dd48de98660c55df7f5c26b49d0cc82aaf3635b0c7a; classtype:trojan-activity; sid:48449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sofacy outbound connection"; flow:to_server,established; content:"/resource-store/stockroom-center-service/check.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/2da5a388b891e42df4ed62cffbc167db2021e2441e6075d651ecc1d0ffd32ec8; classtype:trojan-activity; sid:48447; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sofacy outbound connection"; flow:to_server,established; content:"/doc/temp/release.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/40318f3593bca859673827b88d65c5d2f0d80a76948be936a60bda67dff27be9; classtype:trojan-activity; sid:48446; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.tRat variant outbound cnc connection"; flow:to_server,established; content:"D9BD68ABF53C3914A248EC603E9CD96F"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b; classtype:trojan-activity; sid:48467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.tRat variant outbound cnc connection"; flow:to_server,established; content:"CF9C77"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b; classtype:trojan-activity; sid:48466; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Js.Worm.Bondat inbound connection attempt"; flow:to_client,established; file_data; content:"File not found.|0A|<!-- =S4KE"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/1aef766029f9d258441798754804ddc35c0436268c67c370b3f72f5e57580d2b; classtype:trojan-activity; sid:48465; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,6500] (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"GET /zIZFh|5C| HTTP/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2; classtype:trojan-activity; sid:48464; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/MScertificate.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2; classtype:trojan-activity; sid:48463; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/link/GRAPH.EXE"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2; classtype:trojan-activity; sid:48462; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/syshelp/kd8812u/protocol.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2; classtype:trojan-activity; sid:48461; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carrotbat outbound connection attempt"; flow:to_server,established; content:"/20.txt"; fast_pattern:only; http_uri; urilen:<15; content:"User-Agent: Microsoft-CryptoAPI"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48480; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carrotbat outbound connection attempt"; flow:to_server,established; content:"/1.txt"; fast_pattern:only; http_uri; urilen:<14; content:"User-Agent: Microsoft-CryptoAPI"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48479; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection attempt"; flow:to_server,established; content:"/0_31.doc"; fast_pattern:only; http_uri; urilen:9; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48478; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound connection attempt"; flow:to_server,established; content:"/vip/setup"; http_uri; content:".txt"; within:5; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carrotbat outbound connection attempt"; flow:to_server,established; content:"/20.txt"; fast_pattern:only; http_uri; urilen:<15; content:"User-Agent: CertUtil URL Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Carrotbat outbound connection attempt"; flow:to_server,established; content:"/1.txt"; fast_pattern:only; http_uri; urilen:<14; content:"User-Agent: CertUtil URL Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/824f79a8ee7d8a23a0371fab83de44db6014f4d9bdea90b47620064e232fd3e3; classtype:trojan-activity; sid:48475; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Coinminer variant outbound connection"; flow:to_server,established; content:"/.foo/"; http_uri; content:".tgz"; within:15; http_uri; content:"User-Agent: curl/"; http_header; content:"Accept: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d62e6fd9e16b05a16859582cbbf6e841e2097ac6f25f35f2e078b3dfb490bb9/analysis/1543867636/; classtype:trojan-activity; sid:48473; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Coinminer variant outbound connection"; flow:to_server,established; content:"/.foo/"; http_uri; content:".sh"; within:15; http_uri; content:"User-Agent: curl/"; http_header; content:"Accept: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d62e6fd9e16b05a16859582cbbf6e841e2097ac6f25f35f2e078b3dfb490bb9/analysis/1543867636/; classtype:trojan-activity; sid:48472; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Coinminer variant outbound connection"; flow:to_server,established; content:"/.foo/"; http_uri; content:".tgz"; within:15; http_uri; content:"User-Agent: Wget/"; http_header; content:"Accept: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d62e6fd9e16b05a16859582cbbf6e841e2097ac6f25f35f2e078b3dfb490bb9/analysis/1543867636/; classtype:trojan-activity; sid:48471; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Coinminer variant outbound connection"; flow:to_server,established; content:"/.foo/"; http_uri; content:".php"; within:15; http_uri; content:"User-Agent: curl/"; http_header; content:"Accept: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4d62e6fd9e16b05a16859582cbbf6e841e2097ac6f25f35f2e078b3dfb490bb9/analysis/1543867636/; classtype:trojan-activity; sid:48470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection"; flow:to_server,established; content:"/d2/about.php"; fast_pattern:only; http_uri; content:"Content-Encoding: binary"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48499; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC 2nd Stage Oilrig CNC connection attempt"; flow:to_server,established; content:"/updatecdnsrv/prelocated/owa/auth/template.rtf"; fast_pattern; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pan-unit42.github.io/playbook_viewer/; classtype:trojan-activity; sid:48498; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC 4th Stage Oilrig CNC connection attempt"; flow:to_server,established; content:"/sysupdate.aspx?req="; fast_pattern; http_uri; content:"&m=d"; distance:1; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,pan-unit42.github.io/playbook_viewer/; classtype:trojan-activity; sid:48497; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Powermud variant outbound connection"; flow:to_server,established; content:"/oa/?id="; fast_pattern:only; http_uri; content:"Content-Type: application/json"; nocase; http_header; content:"Expect: 100-continue"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48562; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Powermud variant outbound connection"; flow:to_server,established; content:"/wp-config-ini.php"; fast_pattern:only; http_uri; content:"Expect: 100-continue"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48561; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Powermud variant outbound connection"; flow:to_server,established; content:"/oc/api/?id="; fast_pattern:only; http_uri; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48560; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Powermud variant outbound connection"; flow:to_server,established; content:"/or/?id="; fast_pattern:only; http_uri; content:"Content-Type: application/json"; nocase; http_header; content:"Expect: 100-continue"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48559; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dofoil variant outbound connection"; flow:to_server,established; content:"|52 3D|"; http_client_body; content:"|7D 5A 25 2B 46 6B 68 B6|"; distance:40; http_client_body; content:"|14 E1 94 69 6E C0 BB 71 32 FE 61 21|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85/detection; classtype:trojan-activity; sid:48558; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Azorult outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/1/index.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0e27bbfa70b399182f030ee18531e100d4f6e8cb64e592276b02c18b7b5d69e6; reference:url,www.virustotal.com/#/file/3354a1d18aa861de2e17eeec65fc6545bc52deebe86c3ef12ccb372c312d8af8; classtype:trojan-activity; sid:48552; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt"; flow:to_server,established; content:"/wp-content/plugins/"; fast_pattern:only; http_uri; content:!"Referer"; http_header; pcre:"/^\x2fwp-content\x2fplugins(\x2f.+?)*?\x2f[123]$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48508; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt"; flow:to_server,established; content:"/wp-includes/2"; fast_pattern:only; http_uri; urilen:14; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48507; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound connection attempt"; flow:to_server,established; content:"/wp-includes/4"; fast_pattern:only; http_uri; urilen:14; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48506; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif outbound connection attempt"; flow:to_server,established; content:"/wpx/"; fast_pattern:only; http_uri; urilen:>200; content:!"Referer"; http_header; content:"GET /wpx/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48505; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection"; flow:to_server,established; content:"/mlu/forum.php"; fast_pattern:only; http_uri; content:"Content-Encoding: binary"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48504; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeusPanda outbound cnc connection"; flow:to_server,established; content:"/4/forum.php"; fast_pattern:only; http_uri; content:"GUID="; http_client_body; content:"&BUILD="; distance:0; http_client_body; content:"&INFO="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/b8ce490bc146c058abad4b6593d9e08adcf0b9d374616bca25df78e92ae7d753/analysis; classtype:trojan-activity; sid:48503; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection"; flow:to_server,established; content:"/en_action_device/center_correct_customer/drivers-i7-x86.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48592; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Downloader.Cannon payload download attempt"; flow:to_server,established; content:"/officeDocument/2006/relationships/templates.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/34bdb5b364358a07f598da4d26b30bac37e139a7dc2b9914debb3a16311f3ded; classtype:trojan-activity; sid:48591; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection"; flow:to_server,established; content:"/agr-enum/progress-inform/cube.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ed8f52cdfc5f4c4be95a6b2e935661e00b50324bee5fe8974599743ccfd8daba; classtype:trojan-activity; sid:48590; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Downloader.Cannon payload download attempt"; flow:to_server,established; content:"/office/thememl/2012/main/attachedTemplate.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/77ff53211bd994293400cb3f93e3d3df6754d8d477cb76f52221704adebad83a; classtype:trojan-activity; sid:48589; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Downloader.Cannon payload download attempt"; flow:to_server,established; content:"/messages/content/message_template.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:48588; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/handler.php?uid="; fast_pattern:only; http_uri; content:"scr"; http_client_body; content:"alloy.png"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b; classtype:trojan-activity; sid:48568; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zekapab variant outbound connection"; flow:to_server,established; content:"/agr-enum/progress-inform/cube.php"; fast_pattern:only; http_uri; content:"?res="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/87f363afc9778efc78dd3e0ced112d8d66a09a8924091f0927ed02a7b64850d2/detection; classtype:trojan-activity; sid:48732; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/Bottle.exe"; fast_pattern:only; http_uri; urilen:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d1a391de4739a726b29756132cbfda7ee32368e60d747a98fda2a741995d229d; classtype:trojan-activity; sid:48724; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/mudiwa/index.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/d1a391de4739a726b29756132cbfda7ee32368e60d747a98fda2a741995d229d; classtype:trojan-activity; sid:48723; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/sss/gate.php"; fast_pattern:only; http_uri; urilen:13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/962fa603a3674ce4948c5a4c82e49cde32585b98c280c2357e70c561ec55c326; classtype:trojan-activity; sid:48722; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Occamy variant outbound connection"; flow:to_server,established; content:"/sss/config.php"; fast_pattern:only; http_uri; urilen:15; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/962fa603a3674ce4948c5a4c82e49cde32585b98c280c2357e70c561ec55c326; classtype:trojan-activity; sid:48721; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant payload download attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305; classtype:trojan-activity; sid:48767; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/pkg/image/do.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc; classtype:trojan-activity; sid:48766; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa; classtype:trojan-activity; sid:48765; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/technet-support/library/online-service-description.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48764; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_server,established; content:"/officexel/transfer.gz"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2; classtype:trojan-activity; sid:48792; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_server,established; content:"/officexel/"; fast_pattern:only; http_uri; content:".zip HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2; classtype:trojan-activity; sid:48791; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uppercut inbound payload download"; flow:to_server,established; content:"|5C|..|5C|mshtml,RunHTMLApplication"; fast_pattern:only; content:"|3B|csrf="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d; classtype:trojan-activity; sid:48822; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uppercut variant outbound connection"; flow:to_server,established; content:"Cookie: GetLastError="; fast_pattern:only; content:!"Referer: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/3d2b3c9f50ed36bef90139e6dd250f140c373664984b97a97a5a70333387d18d; classtype:trojan-activity; sid:48821; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Criakl variant outbound connection"; flow:to_server,established; content:"/inst.php?vers="; fast_pattern:only; http_uri; content:"&id="; nocase; http_uri; content:"&sender"; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ab9220d3cf3bc999beb96b42d707e8cd590c04f4d02c4512ee1165854bdfe649/detection; classtype:trojan-activity; sid:48820; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent variant inbound payload download"; flow:established,to_server; content:"/blogs/enc7.js"; fast_pattern:only; http_uri; urilen:14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48819; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8880] (msg:"MALWARE-CNC Js.Trojan.Agent variant outbound connection"; flow:established,to_server; content:"User-Agent|3A| xmsSofts_1.0.0_"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48818; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC MuddyWater variant malicious document download attempt"; flow:to_server,established; file_data; flowbits:isset,file.doc; content:"|5C 80 07 D8 6F 66 CC 8B EB 79 C0 E3 B8 FF 04 AE E7 03 17 30 A2 6D C6 BE 8E 38 7A F6 81 10 40 9A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/41ee0ab77b474b0c84a1c25591029533f058e4454d9f83ba30159cc6309c65d1/detection; classtype:trojan-activity; sid:48860; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC MuddyWater variant malicious document download attempt"; flow:to_client,established; file_data; flowbits:isset,file.doc; content:"|5C 80 07 D8 6F 66 CC 8B EB 79 C0 E3 B8 FF 04 AE E7 03 17 30 A2 6D C6 BE 8E 38 7A F6 81 10 40 9A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/41ee0ab77b474b0c84a1c25591029533f058e4454d9f83ba30159cc6309c65d1/detection; classtype:trojan-activity; sid:48859; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.L0rdix send system log attempt"; flow:to_server,established; file_data; content:"/connect.php?hw="; http_uri; content:"&ps="; within:100; http_uri; content:"&ck="; within:100; http_uri; content:"&fl="; within:100; http_uri; content:".zip"; depth:200; http_client_body; content:"log.txt"; within:200; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11/detection; classtype:trojan-activity; sid:48858; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.L0rdix send client settings attempt"; flow:to_server,established; file_data; content:"/connect.php?h="; http_uri; content:"&o="; within:100; http_uri; content:"&c="; within:100; http_uri; content:"&g="; within:100; http_uri; content:"&w="; within:100; http_uri; content:"&p="; within:100; http_uri; content:"&r="; within:100; http_uri; content:"&f="; within:100; http_uri; content:"&rm="; within:100; http_uri; content:"&d="; within:100; http_uri; content:"img="; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11/detection; classtype:trojan-activity; sid:48857; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48847; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48846; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48845; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998; classtype:trojan-activity; sid:48844; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ServHelper outbound connection"; flow:to_server,established; content:"/sav/s.php"; fast_pattern:only; http_uri; urilen:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579; classtype:trojan-activity; sid:48887; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlawedGrace outbound connection"; flow:to_server,established; content:"/aggdst/Hasrt.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58; classtype:trojan-activity; sid:48886; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ServHelper outbound connection"; flow:to_server,established; content:"/rest/serv.php"; fast_pattern:only; http_uri; content:"key="; http_client_body; content:"&sysid="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579; classtype:trojan-activity; sid:48885; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ServHelper outbound connection"; flow:to_server,established; content:"/support/form.php"; fast_pattern:only; http_uri; content:"key="; http_client_body; content:"&sysid="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549; classtype:trojan-activity; sid:48884; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ServHelper outbound connection"; flow:to_server,established; content:"/ghuae/huadh.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8; classtype:trojan-activity; sid:48883; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.FlawedGrace outbound connection"; flow:to_server,established; content:"|06|E6|17|GCRG|01 00 00 00 02 00|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58; classtype:trojan-activity; sid:48882; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlawedGrace outbound connection"; flow:to_server,established; content:"/host32"; fast_pattern:only; http_uri; urilen:7; content:"User-Agent: Windows Installer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/56097c4fd04ad9acf45f9964494b0fcac33b0911e7a27b925e98e3444989af0c; classtype:trojan-activity; sid:48881; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlawedGrace outbound connection"; flow:to_server,established; content:"User-Agent: Embarcadero URI Client"; fast_pattern:only; http_header; content:"/a.exe"; http_uri; urilen:6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/56097c4fd04ad9acf45f9964494b0fcac33b0911e7a27b925e98e3444989af0c; classtype:trojan-activity; sid:48880; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlawedGrace outbound connection"; flow:to_server,established; content:"/En-US/reader/download/?installer=Reader_DC_2019.009.20088_English_Windows"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac; classtype:trojan-activity; sid:48879; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/winter/zxd.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e; classtype:trojan-activity; sid:48878; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/qwe.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/172fb23460f34d174baa359c23d46d139fe30cd2d97b11b733aae496ab609c25; classtype:trojan-activity; sid:48877; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/purchase61dfdusfdsu/costnbenifit8889.php?p="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f; classtype:trojan-activity; sid:48876; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/MarkQuality455/developerbuild.php?b="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7; classtype:trojan-activity; sid:48875; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/dwnack.php?cId="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c; classtype:trojan-activity; sid:48874; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/js/drv"; fast_pattern:only; http_uri; urilen:7; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/7d1e26a031db514dd8258de071b96dc57ebc31baf394129c020dd65b8acfc517; classtype:trojan-activity; sid:48873; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/foth1018/go.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48872; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,3606] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|00 00 00 E2 DA A6 7E FB F2 28 DC C7 E5 BA 6B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/#/file/ea4e1a46f8b3cb759b77ccca7269371f3cf72d42b76b4cba566678369495efca; classtype:trojan-activity; sid:48868; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,3606] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|08 00 00 00 C1 C3 D0 32 43 59 A1 78|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/#/file/ea4e1a46f8b3cb759b77ccca7269371f3cf72d42b76b4cba566678369495efca; classtype:trojan-activity; sid:48867; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,3606] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|D8 00 00 00 27 D3 99 BF EA 33 C5 81 53 74 EC 75|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/#/file/ea4e1a46f8b3cb759b77ccca7269371f3cf72d42b76b4cba566678369495efca; classtype:trojan-activity; sid:48866; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,3606] (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"|08 00 00 00 B7 04 05 7C 3E 61 59 42|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/#/file/ea4e1a46f8b3cb759b77ccca7269371f3cf72d42b76b4cba566678369495efca; classtype:trojan-activity; sid:48865; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt"; flow:to_server,established; file_data; content:"|0B 43 31 41 35 47 FE 47 CD 39 4D 38 81 38 0F 38 44 3A 8B 3A 81 3A 46 39 C5 3A 45 3B 89 3A 41 3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/9206f08916ab6f9708d81a6cf2f916e2f606fd048a6b2355a39db97e258d0883/detection; classtype:trojan-activity; sid:48941; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TA505 malicious dropper download attempt"; flow:to_client,established; file_data; content:"|0B 43 31 41 35 47 FE 47 CD 39 4D 38 81 38 0F 38 44 3A 8B 3A 81 3A 46 39 C5 3A 45 3B 89 3A 41 3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/9206f08916ab6f9708d81a6cf2f916e2f606fd048a6b2355a39db97e258d0883/detection; classtype:trojan-activity; sid:48940; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; file_data; content:"-wind 1 -exec byp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d5ae39e8e3116bf0a5e0006b238ed5043b41f10e1d681f4266ac8a7974dbd879; classtype:trojan-activity; sid:48908; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_client,established; file_data; content:"-wind 1 -exec byp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d5ae39e8e3116bf0a5e0006b238ed5043b41f10e1d681f4266ac8a7974dbd879; classtype:trojan-activity; sid:48907; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48904; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; classtype:trojan-activity; sid:49035; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Qakbot malicious executable download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|52 DB 91 CB FE 67 30 9A 8E 72 28 4F 1C A9 81 A1 AA BE AC 8D D9 AB E4 15 EF EA C6 73 89 9F CF 2E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/ad815edc045c779628db3a3397c559ca08f012216dfac4873f11044b2aa1537b/detection; classtype:trojan-activity; sid:49034; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.MongoLock inbound connection"; flow:to_client,established; ssl_state:server_hello; content:"|2A|.rapid7.xyz"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/#/file/698be23b36765ac66f53c43c19ea84d9be0c3d7d81983726724df6173236defa; classtype:trojan-activity; sid:48983; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.MongoLock outbound connection"; flow:to_server,established; content:"/u3/w"; fast_pattern:only; http_uri; urilen:5; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/698be23b36765ac66f53c43c19ea84d9be0c3d7d81983726724df6173236defa; classtype:trojan-activity; sid:48982; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Doc.Dropper GandCrab ramsomware download attempt"; flow:to_server,established; file_data; flowbits:isset,file.doc; content:"|43 08 61 6C 6C 80 8E 41 2E 53 68 00 65 6C 6C 28 22 70 6F 77 00 22 20 26 20 5F 0D 0A 78 00 4B 68|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/c69b49de3046c74b69da1cf8af7c065430292340ce1959b1af973a329f585251/detection; classtype:trojan-activity; sid:49069; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Doc.Dropper GandCrab ramsomware download attempt"; flow:to_client,established; file_data; flowbits:isset,file.doc; content:"|43 08 61 6C 6C 80 8E 41 2E 53 68 00 65 6C 6C 28 22 70 6F 77 00 22 20 26 20 5F 0D 0A 78 00 4B 68|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/c69b49de3046c74b69da1cf8af7c065430292340ce1959b1af973a329f585251/detection; classtype:trojan-activity; sid:49068; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dragonok variant post-compromise outbound connection detected"; flow:to_server,established; content:"/index.php?fn=s"; fast_pattern; http_uri; pcre:"/\x2findex.php\?fn=s\d(&(item|uid|name|file)=){0,1}/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0ab11ac52087eca0b8ad930f7fbb2e1bdbc4300d19a8d0598541522b03da5ddd/detection; classtype:trojan-activity; sid:49092; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dragonok variant post-compromise outbound connection detected"; flow:to_server,established; content:"Content-Type|3A| multipart/form-data|3B| boundary=---------------------------xy012oqbasdfaa"; fast_pattern; http_header; content:"Content-Disposition|3A| form-data|3B| name=|22|file|22 3B| filename="; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|path|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|submit|22|"; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0ab11ac52087eca0b8ad930f7fbb2e1bdbc4300d19a8d0598541522b03da5ddd/detection; classtype:trojan-activity; sid:49091; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"/jj9a"; fast_pattern:only; urilen:5; content:"User-Agent: curl/"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e; classtype:trojan-activity; sid:49110; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,4444] (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"Cookie: session=SYDFioywtcFbUR5U3EST96SbqVk="; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/089cbd3cdedb45198d530495ebf5b171139d1786e268d9702afbe3684e6c7d0d; classtype:trojan-activity; sid:49109; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,4444] (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"Cookie: session=Uy3r/62UwT8t7hOk1wN8uCOC4Vk="; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5fdb5620a5f9da9cf449e2e29038f4c1120394d41eee54f102060d1768cd8520; classtype:trojan-activity; sid:49108; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"/harmlesslittlecode.py"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e; classtype:trojan-activity; sid:49107; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:".proxy.initialize.plist"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e; classtype:trojan-activity; sid:49106; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"/com.apple.rig"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e; classtype:trojan-activity; sid:49105; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.DarthMiner variant outbound connection"; flow:to_server,established; content:"/uploadminer.sh"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/ebecdeac53069c9db1207b2e0d1110a73bc289e31b0d3261d903163ca4b1e31e; classtype:trojan-activity; sid:49104; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qealler outbound connection attempt"; flow:to_server,established; content:"q-qealler-id:"; fast_pattern:only; content:"q-qealler-stub-id:"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d39b62692e6b2457c33adf0490584b3390df148862deebcc4dfe3126b9acc678/analysis/; classtype:trojan-activity; sid:49103; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qealler outbound connection attempt"; flow:to_server,established; content:"/lib/qealler"; fast_pattern:only; content:"text/html, image/gif, image/jpeg, *"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d39b62692e6b2457c33adf0490584b3390df148862deebcc4dfe3126b9acc678/analysis/; classtype:trojan-activity; sid:49102; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qealler outbound connection attempt"; flow:to_server,established; content:"/lib/7z"; fast_pattern:only; content:"text/html, image/gif, image/jpeg, *"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d39b62692e6b2457c33adf0490584b3390df148862deebcc4dfe3126b9acc678/analysis/; classtype:trojan-activity; sid:49101; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Mobile|2F|BADDAD"; within:125; fast_pattern; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/599dc436c2407ca30f5c05c83761efd408acf696873d2a9c9deee0ac15b5e72c/analysis/; classtype:trojan-activity; sid:49188; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt"; flow:to_server,established; file_data; content:"|5C|x65|5C|x63|5C|x20|5C|x7b|5C|x22|5C|x2f|5C|x62|5C|x69|5C|x6e|5C|x2f|5C|x73|5C|x68|5C|x22|5C|x7d"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/f74c4406c53e5b0187b8b1cfeb5b74f88ac9294acca29bdba8bd11371b2245e8/detection; classtype:trojan-activity; sid:49208; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC PHP.PEAR.Backdoor malicious script download attempt"; flow:to_client,established; file_data; content:"|5C|x65|5C|x63|5C|x20|5C|x7b|5C|x22|5C|x2f|5C|x62|5C|x69|5C|x6e|5C|x2f|5C|x73|5C|x68|5C|x22|5C|x7d"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/f74c4406c53e5b0187b8b1cfeb5b74f88ac9294acca29bdba8bd11371b2245e8/detection; classtype:trojan-activity; sid:49207; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_server,established; file_data; content:"C|00|r|00|e|00|a|00|t|00|e|00|O|00|b|00|j|00|e|00|c|00|t|00|"; nocase; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|X|00|M|00|L|00|H|00|T|00|T|00|P|00|"; within:90; fast_pattern; content:"E|00|x|00|e|00|c|00|u|00|t|00|e|00| "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49224; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_server,established; file_data; content:"CreateObject"; nocase; content:"InternetExplorer.Application"; within:35; fast_pattern; content:"Execute "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49223; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_server,established; file_data; content:"CreateObject"; nocase; content:"Microsoft.XMLHTTP"; within:20; fast_pattern; content:"Execute "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49222; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_client,established; file_data; content:"C|00|r|00|e|00|a|00|t|00|e|00|O|00|b|00|j|00|e|00|c|00|t|00|"; nocase; content:"M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00|.|00|X|00|M|00|L|00|H|00|T|00|T|00|P|00|"; within:90; fast_pattern; content:"E|00|x|00|e|00|c|00|u|00|t|00|e|00| "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49221; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_client,established; file_data; content:"CreateObject"; nocase; content:"InternetExplorer.Application"; within:35; fast_pattern; content:"Execute "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49220; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Dropper.Brusha malicious payload download attempt"; flow:to_client,established; file_data; content:"CreateObject"; nocase; content:"Microsoft.XMLHTTP"; within:20; fast_pattern; content:"Execute "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/fd6d92fc55fa340a4c6e880f0a6376c0/; classtype:trojan-activity; sid:49219; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt"; flow:to_server,established; content:"|7E 45 EC 8A 4D F4 66 0F D6 06 88 4E 08 85 DB 74 10 FF 75 E4 8D 46 09 53 50 E8 19 9C 04 00 83 C4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/1c4745c82fdcb9d05e210eff346d7bee2f087357b17bfcf7c2038c854f0dee61/detection; classtype:trojan-activity; sid:49218; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt"; flow:to_server,established; content:"|77 FA 8A 06 84 C0 74 04 3C 20 76 E9 8B C6 5E C3 53 33 DB 39 1D 8C 16 42 00 56 57 75 05 E8 6D 26|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection; classtype:trojan-activity; sid:49217; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt"; flow:to_client,established; content:"|77 FA 8A 06 84 C0 74 04 3C 20 76 E9 8B C6 5E C3 53 33 DB 39 1D 8C 16 42 00 56 57 75 05 E8 6D 26|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/detection; classtype:trojan-activity; sid:49216; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Keymarble malicious executable download attempt"; flow:to_client,established; content:"|7E 45 EC 8A 4D F4 66 0F D6 06 88 4E 08 85 DB 74 10 FF 75 E4 8D 46 09 53 50 E8 19 9C 04 00 83 C4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/1c4745c82fdcb9d05e210eff346d7bee2f087357b17bfcf7c2038c854f0dee61/detection; classtype:trojan-activity; sid:49215; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt"; flow:to_server,established; file_data; content:"|55 99 52 AA 74 7F AB 0C 64 56 A7 E8 16 02 EF CB B0 10 22 8C 21 00 91 81 E0 5F 03 9E 47 08 E6 3C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/gui/file/fab4f72a1645e8520887f966b04fc557e2517c612c9a606594964c5df7857fc6/detection; classtype:trojan-activity; sid:49332; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Arescrypt malicious ransomware download attempt"; flow:to_client,established; file_data; content:"|55 99 52 AA 74 7F AB 0C 64 56 A7 E8 16 02 EF CB B0 10 22 8C 21 00 91 81 E0 5F 03 9E 47 08 E6 3C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/fab4f72a1645e8520887f966b04fc557e2517c612c9a606594964c5df7857fc6/detection; classtype:trojan-activity; sid:49331; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 443 (msg:"MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected"; flow:to_server,established; content:"Already Decrypted or Deleted HT File."; depth:37; isdataat:!38; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/gui/file/6029daa089fcc8b30cdf88c882fb0ef95586c2bbb1535dcb69e172e3d757cd93/detection; classtype:trojan-activity; sid:49330; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 443 (msg:"MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected"; flow:to_server,established; content:"Decrypted"; depth:9; isdataat:!10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/gui/file/6029daa089fcc8b30cdf88c882fb0ef95586c2bbb1535dcb69e172e3d757cd93/detection; classtype:trojan-activity; sid:49329; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 443 (msg:"MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected"; flow:to_server,established; content:"Encrypted"; depth:9; isdataat:!10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/gui/file/6029daa089fcc8b30cdf88c882fb0ef95586c2bbb1535dcb69e172e3d757cd93/detection; classtype:trojan-activity; sid:49328; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Crytekk variant post-compromise outbound connection detected"; flow:to_server,established; content:"POST"; http_method; content:"/updatecarding.php"; http_uri; content:"dispatch="; distance:1; http_uri; content:"e000d352349249f16bc630253448887754042107889d3712"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/6029daa089fcc8b30cdf88c882fb0ef95586c2bbb1535dcb69e172e3d757cd93/detection; classtype:trojan-activity; sid:49327; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"Mozilla/4.0 |28|compatible|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:49353; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.FrameworkPoS malicious executable download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"Mozilla/4.0 |28|compatible|29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:49352; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FrameworkPoS variant outbound connection attempt"; flow:to_server,established; urilen:1; content:"Content-Type: text/html"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49351; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.KerrDown download attempt"; flow:to_server,established; file_data; content:"|4E 6F 69 20 64 75 6E 67 20 63 68 69 20 74 69 65 74 20 64 6F 6E 20 6B 68 69 65 75 20 6E 61 69 20 67 75 69 20 63 6F 6E 67 20 74 79 2E 65 78 65 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/040abac56542a2e0f384adf37c8f95b2b6e6ce3a0ff969e3c1d572e6b4053ff3/analysis/; classtype:trojan-activity; sid:49359; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KerrDown download attempt"; flow:to_client,established; file_data; content:"|4E 6F 69 20 64 75 6E 67 20 63 68 69 20 74 69 65 74 20 64 6F 6E 20 6B 68 69 65 75 20 6E 61 69 20 67 75 69 20 63 6F 6E 67 20 74 79 2E 65 78 65 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/040abac56542a2e0f384adf37c8f95b2b6e6ce3a0ff969e3c1d572e6b4053ff3/analysis/; classtype:trojan-activity; sid:49358; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.KerrDown download attempt"; flow:to_server,established; file_data; content:"|46 49 56 75 78 34 4F 46 62 38 63 55 68 66 79 5A 46 6F 52 76 78 78 53 46 55 6D 6C 6A 61 47 37 48|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3/analysis/; classtype:trojan-activity; sid:49357; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KerrDown download attempt"; flow:to_client,established; file_data; content:"|46 49 56 75 78 34 4F 46 62 38 63 55 68 66 79 5A 46 6F 52 76 78 78 53 46 55 6D 6C 6A 61 47 37 48|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3/analysis/; classtype:trojan-activity; sid:49356; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KerrDown variant outbound connection"; flow:to_server,established; content:"/Avcv"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/040abac56542a2e0f384adf37c8f95b2b6e6ce3a0ff969e3c1d572e6b4053ff3/analysis/; classtype:trojan-activity; sid:49355; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KerrDown variant outbound connection"; flow:to_server,established; content:"/kuss"; fast_pattern:only; http_uri; content:"Accpet: */*"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/89e19df797481ae2d2c895bcf030fe19e581976d2aef90c89bd6b3408579bfc3/analysis/; classtype:trojan-activity; sid:49354; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"S|00|e|00|m|00|i|00|n|00|a|00|r|00|_|00|2|00|0|00|1|00|8|00|_|00|1|00|.|00|A|00|O|00|-|00|A|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d; classtype:trojan-activity; sid:49398; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f617e805ccd0b1451e1f448d1328201d79cb846ba8b5b97221c26188fd1a1836; classtype:trojan-activity; sid:49397; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId.php?q="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dc64fec5e951acf298184be89cf89128550b318d719dcc8e2c3194ec3bdb340b; classtype:trojan-activity; sid:49396; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Danabot download attempt"; flow:to_server,established; file_data; content:"eval(replace(cjraxOontXahRJBkoHMO"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/gui/file/4d542b11ff7b3dfab52d4c9e64ae209ef9afbdfcea1910ca24815eec54944f21/detection; classtype:trojan-activity; sid:49425; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Danabot download attempt"; flow:to_client,established; file_data; content:"eval(replace(cjraxOontXahRJBkoHMO"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/4d542b11ff7b3dfab52d4c9e64ae209ef9afbdfcea1910ca24815eec54944f21/detection; classtype:trojan-activity; sid:49424; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.FrameworkPoS anti-debugging long dns query attempt"; flow:to_server; isdataat:120; content:"ABCDABCD001|04|ping|08|"; content:"ns|0A|zkamaz1902|03|com"; within:90; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:49411; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.RisingSun variant download attempt"; flow:to_server,established; content:"/s/2shp23ogs113hnd/Customer Service Representative.doc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4135f92055dba1fedafe70a8e094623889a2a53f173a8913b016667e5bc7d264; classtype:trojan-activity; sid:49479; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.RisingSun variant download attempt"; flow:to_server,established; content:"/document/Business Intelligence Administrator.doc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4135f92055dba1fedafe70a8e094623889a2a53f173a8913b016667e5bc7d264; classtype:trojan-activity; sid:49478; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Doc.Dropper.RisingSun variant download attempt"; flow:to_server,established; content:"/document/Strategic Planning Manager.doc"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/4135f92055dba1fedafe70a8e094623889a2a53f173a8913b016667e5bc7d264; classtype:trojan-activity; sid:49477; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/shop/tmp/index.php"; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49476; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/image/index.asp"; fast_pattern:only; http_uri; content:"code="; http_client_body; content:"&id="; distance:0; http_client_body; content:"&page="; distance:0; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f4ab958ac5c13a62b1e1a4287eb40d1de567ced2d919a2d9981f1abcfd244f86; classtype:trojan-activity; sid:49475; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 03 81 30 82 02 69 A0 03 02 01 02 02 08 01 2F AA E2 7B 6C 3E 74|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:trojan-activity; sid:49474; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"&page=free&wr_id="; fast_pattern:only; http_client_body; content:"&session_id="; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/47ae8a70468bf1d40a6eefe448c588b957db8813f19ff88f43c7a6ec7b1a7260; classtype:trojan-activity; sid:49473; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 03 81 30 82 02 69 A0 03 02 01 02 02 08 01 78 59 D2 99 F8 D5 0E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:trojan-activity; sid:49472; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/sub/right.asp"; fast_pattern:only; http_uri; content:"name=|22|msg|22|"; http_client_body; content:"filename="; distance:0; http_client_body; content:".jpg"; within:50; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/e2bdb93c2e8872849158dd3761501f0e02218b128059280a63f54d300cf9f69f; classtype:trojan-activity; sid:49471; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/data/bbsData/bbs.php"; fast_pattern:only; http_uri; content:"code="; http_client_body; content:"&id="; distance:0; http_client_body; content:"&page="; distance:0; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/657edbb80fc2f7ae0f592a0047c335b1775db86c1268deb766637a4bbcc4076e; classtype:trojan-activity; sid:49470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/new_board/img/bbs.asp"; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f4ab958ac5c13a62b1e1a4287eb40d1de567ced2d919a2d9981f1abcfd244f86; classtype:trojan-activity; sid:49469; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/gb/data/file/notice/main.php"; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/f4ab958ac5c13a62b1e1a4287eb40d1de567ced2d919a2d9981f1abcfd244f86; classtype:trojan-activity; sid:49468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_server,established; content:"/ProductImage/index.asp"; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49467; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.RisingSun variant outbound connection"; flow:to_client,established; ssl_state:server_hello; content:"|30 82 03 81 30 82 02 69 A0 03 02 01 02 02 08 01 A8 20 B2 B6 30 90 67|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:trojan-activity; sid:49466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"sparc"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]sparc$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49520; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"mipsel"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]mipsel$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49519; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"i586"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]i586$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49518; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"m68k"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]m68k$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49517; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"i686"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]i686$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49516; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"ppc"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]ppc$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49515; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"x86"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]x86(_64)?$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49514; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"spc"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]spc$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49513; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"mpsl"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]mpsl$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49512; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Shade malicious executable download attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|EC 5A E4 F2 6A 79 02 A2 10 BF B8 31 33 50 51 BE AB 01 5C 08 FA 67 27 3B 98 F7 C9 CC 23 FD 85 39|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/bf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb/detection; classtype:trojan-activity; sid:49508; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Shade malicious executable download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|EC 5A E4 F2 6A 79 02 A2 10 BF B8 31 33 50 51 BE AB 01 5C 08 FA 67 27 3B 98 F7 C9 CC 23 FD 85 39|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/bf32e333d663fe20ab1c77d2f3f3af946fb159c51b1cd3b4b2afd6fc3e1897bb/detection; classtype:trojan-activity; sid:49507; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".exez?ID="; fast_pattern:only; http_uri; content:"&GUID="; http_uri; content:"&_T="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49572; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".png?ID="; fast_pattern:only; http_uri; content:"&MAC="; http_uri; content:"&OS="; http_uri; content:"&BIT="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49571; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"msiexec.exe"; fast_pattern:only; content:"/i http://"; nocase; content:" /q"; within:100; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/96e76bc147342a0ac061cabbb8bcbe0fb20c96ce6058817c295d82330631f907; classtype:trojan-activity; sid:49568; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Doc.Downloader.FlawedAmmyy download attempt"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"msiexec.exe"; fast_pattern:only; content:"/i http://"; nocase; content:" /q"; within:100; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/96e76bc147342a0ac061cabbb8bcbe0fb20c96ce6058817c295d82330631f907; classtype:trojan-activity; sid:49567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FlawedAmmyy variant outbound connection"; flow:to_server,established; content:"/s.dat"; fast_pattern:only; http_uri; urilen:6; content:!"Referer"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/3582f7d2d3a1cf122e617d6b915c808caee8aaa7befb38c08d1f0870e6ccbc23; classtype:trojan-activity; sid:49566; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedID variant payload download attempt"; flow:to_server,established; content:"/troll.jpg"; http_uri; urilen:10; metadata:impact_flag red, policy max-detect-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/d779dab43a5222e4280419a3fd6e1827f7e2beab4b81627db6cd99cc4b8dbacc/detection; classtype:trojan-activity; sid:49553; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"quart|27|s Lilian|27|s"; fast_pattern:only; content:"Shenyang|27|s stillborn"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/f97e0620e05b5d1cfcc324aac04bcc1e47053046dd3ff7c39867ac267968c5ee/detection; classtype:trojan-activity; sid:49552; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"demographically dung|27|s"; fast_pattern:only; content:"belie continuing"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/b1c5efabaca4ab6fcea8c9380599fd205d799c45b61e7a285af5e00ff1cc54d4/detection; classtype:trojan-activity; sid:49551; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"Orin|27|s infertility"; fast_pattern:only; content:"landscapes stirrup"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/01c791b5eec27209fab751c4fd769c26395eceaf71ef8dd3fa6cc32595c648d2/detection; classtype:trojan-activity; sid:49550; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"Conan McMahon"; fast_pattern:only; content:"blunts snotty"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/f97e0620e05b5d1cfcc324aac04bcc1e47053046dd3ff7c39867ac267968c5ee/detection; classtype:trojan-activity; sid:49549; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant payload download attempt"; flow:to_server,established; content:"crypt_AU3_EXE.exe"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/gui/file/d779dab43a5222e4280419a3fd6e1827f7e2beab4b81627db6cd99cc4b8dbacc/detection; classtype:trojan-activity; sid:49548; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"admin@defalult.com"; fast_pattern:only; content:"Yahho"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/gui/file/d779dab43a5222e4280419a3fd6e1827f7e2beab4b81627db6cd99cc4b8dbacc/detection; classtype:trojan-activity; sid:49547; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"Phenix"; content:"Yahos"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/#/file/d779dab43a5222e4280419a3fd6e1827f7e2beab4b81627db6cd99cc4b8dbacc/detection; classtype:trojan-activity; sid:49546; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.IcedID variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"intimidate outpatient"; fast_pattern:only; content:"ErvIn|27|s.space"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/#/file/5325a313e9462baba123761b402f2cf4cc130dc05257b34293c88bc7080a8e0d/detection; classtype:trojan-activity; sid:49545; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.IcedID variant post-config websocket outbound connection attempt"; flow:to_server,established; content:"/data2.php"; fast_pattern:only; http_uri; content:"Upgrade: websocket|0D 0A|"; http_header; content:"Connection: Upgrade"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/5325a313e9462baba123761b402f2cf4cc130dc05257b34293c88bc7080a8e0d/detection; classtype:trojan-activity; sid:49544; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Yatron variant outbound connection"; flow:to_server,established; content:"/info/info/data.php?info="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49534; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Yatron variant outbound connection"; flow:to_server,established; content:"/info/info/dashboard.html?show="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49533; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt"; flow:to_server,established; file_data; flowbits:isset,file.exe; content:"|8C 3A D9 76 C0 18 43 90 96 09 35 2C FB F7 8D 21 6E 25 DE 82 4D 81 04 8F 56 B1 65 CD DC 4F 25 CE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/gui/file/43e67197f48076d3c2f72de7d44d474dda0e6260a913e41fd6d4e9d1509f31c7/detection; classtype:trojan-activity; sid:49597; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GlobeImposter malicious executable download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|8C 3A D9 76 C0 18 43 90 96 09 35 2C FB F7 8D 21 6E 25 DE 82 4D 81 04 8F 56 B1 65 CD DC 4F 25 CE|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/43e67197f48076d3c2f72de7d44d474dda0e6260a913e41fd6d4e9d1509f31c7/detection; classtype:trojan-activity; sid:49596; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/board.php"; fast_pattern:only; http_uri; pcre:"/\/board\.php\?(m=[0-9A-F]{0,12}&)?(v=([abcef]|\d+\.\d+))/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49595; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:".php?file=Cobra_"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49594; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/indox.php?v="; fast_pattern:only; http_uri; pcre:"/\/indox\.php\x3fv=(pp|pe|s)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49593; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/bbs/data/tmp/ping.php"; fast_pattern:only; http_uri; content:"word="; nocase; http_uri; content:"note="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49592; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redaman outbound connection"; flow:to_server,established; isdataat:!292; content:"POST"; http_method; content:"/index.php"; depth:10; http_uri; content:"Content-Length: 39"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/14D33B02A497E46F470D30180A09A1057C6802C1F37B0EFBF82CBDC47A8AE7FF; classtype:trojan-activity; sid:49625; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redaman outbound connection"; flow:to_server,established; content:"/p/g_3453456jawd346.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/14D33B02A497E46F470D30180A09A1057C6802C1F37B0EFBF82CBDC47A8AE7FF; classtype:trojan-activity; sid:49624; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redaman outbound connection"; flow:to_server,established; content:"/name/d/stat-counter-3-1"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/14D33B02A497E46F470D30180A09A1057C6802C1F37B0EFBF82CBDC47A8AE7FF; classtype:trojan-activity; sid:49623; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|0D 0A|"; fast_pattern:only; content:"|20|/t"; depth:4; offset:3; content:".aspx?m="; within:20; content:!"Referer"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blogs.jpcert.or.jp/en/2018/11/tscookie2.html; classtype:trojan-activity; sid:49664; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rietspoof variant outbound connection"; flow:to_server, established; content:"|7B 75 6E 9C 4F 42 C0 18 BD BA 79 A7 F8 8C F1 CA F2 DA E5 50 6B 93 05 5C 33 FE 6B 6D 88 98 E5 31|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/f5c4782591675cd51ac3cdfd1bc719d576b7b98d529cf281b706d94fd1916c96/analysis/; classtype:trojan-activity; sid:49653; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt"; flow:to_server,established; content:"POST"; http_method; content:"Accept-Charset|3A|"; http_header; content:"ISO-8859-1,utf-8"; within:20; fast_pattern; http_header; content:"Content-Length|3A| 0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/gui/file/6408c69e802de04e949ed3047dc1174ef20125603ce7ba5c093e820cb77b1ae1/detection; classtype:trojan-activity; sid:49724; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt"; flow:to_server,established; content:"/api/v2/set_state.php"; nocase; http_uri; content:"token|3A|"; http_header; content:"5ftgvbhiygftygo7rfvyv57ftiguvybd"; within:50; http_header; content:"id"; nocase; http_client_body; content:"command"; within:100; nocase; http_client_body; content:"state"; within:100; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341/detection; classtype:trojan-activity; sid:49682; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android.Trojan.Banking outbound beacon attempt"; flow:to_server,established; content:"/api/v2/get.php"; nocase; http_uri; content:"token|3A|"; http_header; content:"5ftgvbhiygftygo7rfvyv57ftiguvybd"; within:50; http_header; content:"packageName"; nocase; http_client_body; content:"com.zvozlqawx.vbnwjvqkqza"; within:50; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/6bdfb79f813448b7f1b4f4dbe6a45d1938f3039c93ecf80318cedd1090f7e341/detection; classtype:trojan-activity; sid:49681; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49680; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49679; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49678; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49677; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6E 6E 69 6E 67 2E 2E 2E 00 20 3A 20 00 73 63 61 6E 20 66 69 6E 69 73 65 64 00 00 00 00 63 3A 2F 2E 6C 6F 67 00 77 61 72 6D 69 6E 67 20 75 70 2E 2E 2E 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49676; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"hxtensa"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]hxtensa$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49794; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"hopenrisc"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]hopenrisc$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49793; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"hnios2"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]hnios2$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49792; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Mirai variant post compromise download"; flow:to_server,established; content:"hmicroblaze"; fast_pattern:only; http_uri; content:"Host: "; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"."; within:4; http_header; content:"|0A|"; within:5; http_header; pcre:"/[\x2e\x5c\x2f\x2dyx]hmicroblaze(be|el)$/U"; flowbits:set,trojan.mirai; flowbits:noalert; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:49791; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/exe/runinfo"; fast_pattern:only; http_uri; content:"&mac="; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49790; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/updaterinfo.bin"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/updater/"; within:50; http_header; content:!"Accept-Encoding"; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49789; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/feedbackinfo/production/"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/entry/feedbackinfo/production/"; within:100; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49788; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection"; flow:to_server,established; content:"name=|22|files[]|22 3B| filename=|22|file.png|22|"; fast_pattern:only; http_client_body; content:"/upload.php"; http_uri; urilen:11; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/f481148d43b45e4ba823cb2f9f1bafab965fad3214ee21781416feada32bbdbe; classtype:trojan-activity; sid:49779; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [20,21,25] (msg:"MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection"; flow:to_server,established; file_data; content:"HawkEye Keylogger - Reborn v9 -"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp, service ftp-data, service smtp; reference:url,virustotal.com/#/file/f481148d43b45e4ba823cb2f9f1bafab965fad3214ee21781416feada32bbdbe; classtype:trojan-activity; sid:49778; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HawkEye variant outbound cnc connection"; flow:to_server,established; content:"hwid="; fast_pattern:only; http_client_body; content:"/api"; nocase; http_uri; content:"secret="; nocase; http_client_body; content:"data="; nocase; http_client_body; content:"title="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/f481148d43b45e4ba823cb2f9f1bafab965fad3214ee21781416feada32bbdbe; classtype:trojan-activity; sid:49777; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 4444 (msg:"MALWARE-CNC Win.Trojan.Imminent variant outbound connection"; flow:to_server,established; content:"SpoolColorLV"; fast_pattern:only; pcre:"/(0\|)(.+\|)([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\|SpoolColorLV\|(4444)\|\|/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49774; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Imminent variant outbound connection"; flow:to_server,established; content:"yp=IBQL0ZQN2ZGpjAwp5AQL2"; fast_pattern:only; http_uri; content:"/es/inbox.php"; http_uri; content:"login=perfectfull"; http_uri; content:"yj=KAQN1Amp0ZQt5ZmtjAmtjAwN"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49773; rev:1;)
alert tcp $EXTERNAL_NET 1060 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Imminent variant inbound response"; flow:to_client,established; content:"|2C 00 00 00 02 00 00 00 01 00 0C 24|"; fast_pattern:only; pcre:"/\$\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49772; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.JasperLoader update request"; flow:established,to_client; file_data; content:"u|7C|http"; depth:6; content:"|7C|http"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0a6678204ce53902234517def01c42cd6485efafe7b4142a10287030f3f1755f/detection; classtype:trojan-activity; sid:49916; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.JasperLoader outbound connection"; flow:to_server,established; content:"?b="; depth:64; http_uri; content:"&v="; within:128; http_uri; content:"&psver="; within:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0a6678204ce53902234517def01c42cd6485efafe7b4142a10287030f3f1755f/detection; classtype:trojan-activity; sid:49915; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.JasperLoader outbound connection"; flow:to_server,established; content:"/loadercrypt_"; depth:13; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0a6678204ce53902234517def01c42cd6485efafe7b4142a10287030f3f1755f/detection; classtype:trojan-activity; sid:49914; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Malware.JasperLoader file download request"; flow:to_client,established; file_data; content:"d|7C|http"; depth:6; content:"|7C|http"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/0a6678204ce53902234517def01c42cd6485efafe7b4142a10287030f3f1755f/detection; classtype:trojan-activity; sid:49913; rev:1;)