ale/snort2-docker
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
443b3b48a1
snort2-docker/docker/etc/rules/exploit-kit.rules
jesler 36eb702282 Adding Docker Container
2020-02-24 08:56:30 -05:00

763 lines
385 KiB
Plaintext
Raw Blame History

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------
# EXPLOIT-KIT RULES
#-------------------
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jnlp request"; flow:to_server,established; urilen:18; content:".jnlp"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{12}\.jnlp$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26964; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flim exploit kit outbound jar request"; flow:to_server,established; urilen:14; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-f0-9]{9}\.jar$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:26963; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit portable executable download"; flow:to_client,established; file_data; content:"|4F CF 6A BC A1 03 01 00 69|"; depth:9; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26962; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flim exploit kit landing page"; flow:to_client,established; file_data; dsize:<400; content:"<html><body><script>"; content:"var"; within:3; distance:1; content:"document.createElement"; content:"iframe"; within:6; distance:2; content:".setAttribute("; distance:0; content:"document.body.appendChild("; distance:0; fast_pattern; pcre:"/var\s+(?P<variable>\w+)\=document\.createElement.*?\x3b(?P=variable)\.setAttribute.*?document\.body\.appendChild\x28(?P=variable)\x29/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26961; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit landing page"; flow:to_client,established; file_data; content:"<iframe style="; content:"z-index|3A| -1"; within:11; distance:1; content:"scrolling="; content:"no"; within:2; distance:1; content:"src="; within:4; distance:2; content:"http|3A 2F 2F|"; within:7; distance:1; content:"mt"; within:50; distance:10; content:" id="; within:4; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26960; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 4"; flow:to_server,established; content:".php?exp=rhino&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26959; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 3"; flow:to_server,established; content:".php?exp=atom&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 2"; flow:to_server,established; content:".php?exp=lib&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26957; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Topic exploit kit outbound connection - 1"; flow:to_server,established; content:".php?exp=byte&b="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/05/31/topic-exploit-kit/; classtype:trojan-activity; sid:26956; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit malware download"; flow:to_server,established; content:"/load.php?e="; http_uri; content:"&ip="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26897; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Plugin detection response"; flow:to_server,established; content:"/gate.php?ver="; http_uri; content:"&p="; distance:0; http_uri; content:"&j="; distance:0; http_uri; content:"&f="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26896; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j07.php?i="; fast_pattern:only; http_uri; content:" Java/1.7"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26895; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j161.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26894; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit landing page"; flow:to_client,established; file_data; content:"<script src="; content:"js/js.js"; distance:1; content:"AdobeReader"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26893; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit jar file download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".jar"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26892; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Flashpack/Safe/CritX exploit kit executable download"; flow:to_client,established; file_data; content:"filename="; http_header; content:".exe"; within:4; distance:24; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/06/06/flashpack-exploit-kit-safepack/; classtype:trojan-activity; sid:26891; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"|7C|secure|7C|length|7C|setStr|7C|getCookie|7C|setCookie|7C|indexOf|7C|v|7C|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26807; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit short JNLP request"; flow:to_server,established; content:".jnlp"; fast_pattern:only; http_uri; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26806; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit encrypted binary download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|FB 67 1F 49|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26805; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:established,to_client; file_data; content:"<applet><param name=|22|jnlp_href|22| value=|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/; classtype:trojan-activity; sid:26653; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"|7B|catch(d21vd12v)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26617; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"var sentleft=|7B|versoin|3A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26600; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact/Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"/*reedjoll*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26599; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit script injection attempt"; flow:to_client,established; file_data; content:"|22|+escape|28|"; depth:100; content:".charCodeAt|28|"; distance:0; content:"</script>id="; within:64; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,threatpost.com/d-c-media-sites-hacked-serving-fake-av/; classtype:trojan-activity; sid:26591; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit successful redirection - jnlp bypass"; flow:to_server,established; content:"php?jnlp="; fast_pattern:only; http_uri; pcre:"/php\?jnlp\=[a-f0-9]{10}($|\x2c)/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26541; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer injection - specific structure"; flow:to_client,established; file_data; content:"try{document.body-=12|3B|}catch(dv32r3)"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26540; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit pdf download detection"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"<< /CreationDate (D|3A|20130404171020)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26539; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit landing page received"; flow:to_client,established; file_data; content:"<html><body></body><input id=|27|"; content:"|27| value=|27 25|"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26538; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit jar download detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main.class"; content:"NOnoa.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0842; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26537; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; within:30; distance:5; content:" code="; within:30; content:".class"; within:30; distance:5; content:" width="; within:30; content:" height="; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26536; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"jnlp_embedded"; content:"value="; distance:0; content:"PD"; within:2; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:26535; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Unix.Backdoor.Cdorked possible blackhole request attempt"; flow:to_server,established; content:"/info/last/index.php"; fast_pattern:only; http_uri; pcre:"/^Host:\s*?[a-f0-9]{63,64}\./Him"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26527; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit redirection structure"; flow:to_client,established; file_data; content:"<iframe id="; content:"frmstyle"; within:8; distance:1; content:" src="; within:5; distance:1; content:"http|3A 2F 2F|"; within:7; distance:1; content:" height="; within:250; content:"frameborder=0></iframe>"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26511; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit java payload detection"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bottom.class"; content:"Bottom10.class"; distance:0; content:"Bottom11.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:26509; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26508; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit jar file downloaded"; flow:to_client,established; file_data; content:"Suburb.class"; content:"Suburb013.class"; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26434; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?j="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?j\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26384; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?i="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?i\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26383; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit java exploit request"; flow:to_server,established; urilen:8; content:".jar"; http_uri; content:" Java/1"; http_header; content:"content-type|3A| application/x-java-archive"; fast_pattern:20,20; pcre:"/\/([0-9][0-9a-z]{2}|[0-9a-z][0-9][0-9a-z]|[0-9a-z]{2}[0-9])\.jar$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26377; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"=new Array|3B|EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26368; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Egypack exploit kit outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Egypack/1."; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26367; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Egypack exploit kit landing page"; flow:to_client,established; file_data; content:"<script language=|22|JavaScript|22|>var EGYPACK_CRYPT"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:26366; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Java.class"; within:10; distance:1; content:">"; within:1; distance:1; content:"<param name="; distance:0; content:"name"; within:4; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26351; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT TDS redirection - may lead to exploit kit"; flow:to_server,established; content:"/count"; http_uri; content:".php"; within:4; distance:2; http_uri; pcre:"/\/count\d{2}\.php$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26350; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit obfuscated portable executable"; flow:to_client,established; content:"filename=setup.exe"; fast_pattern:only; http_header; file_data; content:"|8B 7F AA 11 CE 52 0A 3D 76|"; depth:9; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26349; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit java exploit delivery"; flow:to_client,established; file_data; content:"Application.class"; content:"Fazan.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26348; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload requested"; flow:to_server,established; urilen:8; content:".html"; http_uri; content:" Java/1"; fast_pattern; http_header; pcre:"/\/\d{2}\.html$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26346; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_server,established; urilen:18<>21; content:".html?h="; fast_pattern:only; http_uri; pcre:"/\/[a-z]{4}\.html\?h\=\d{6,7}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26345; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:"<applet archive="; content:".jar"; distance:0; content:" code="; within:6; distance:1; content:"Application.class"; within:17; distance:1; content:">"; within:1; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,blog.malwarebytes.org/intelligence/2013/04/redkit-exploit-kit-does-the-splits/; classtype:trojan-activity; sid:26344; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"id="; content:"swf_id"; within:6; distance:1; content:"<param name="; distance:0; content:"Play"; within:4; distance:1; content:" value="; within:7; distance:1; content:"0"; within:1; distance:1; content:"><embed src="; distance:1; content:"http|3A 2F 2F|"; within:8; distance:1; content:".swf"; pcre:"/[a-z0-9]{32}\.(?:jar|swf)/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26343; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<div class="; content:"retwretrewt"; within:11; distance:1; content:">|3A|)"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26342; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"<applet name="; content:" code="; within:100; content:" archive="; within:100; content:"http|3A 2F 2F|"; within:50; content:".jar"; distance:0; content:" codebase="; distance:0; pcre:"/[a-z0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26341; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval - ff.php"; flow:to_server,established; urilen:>16; content:"/ff.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/ff\.php/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26339; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr injection detection - leads to exploit kit"; flow:to_client,established; file_data; content:"}catch(gdsg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26338; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"prototype|3B|}catch("; content:".substr"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:26337; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit redirection page"; flow:to_client,established; file_data; content:"<frame marginwidth=0 marginheight=0 frameborder=0 name=|22|TOPFRAME|22|"; fast_pattern:only; content:"index.php?id="; content:"noresize>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:26323; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit redirection page"; flow:to_client,established; file_data; content:"var"; content:"=|22|pdf|22|"; within:25; content:"location.href="; within:250; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26297; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22| name=|22|"; within:50; content:"<param name=|22|"; within:20; distance:5; content:"|22| value=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26296; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"EXPLOIT-KIT Sakura exploit kit exploit request"; flow:to_server,established; content:"/news/thing.php"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26293; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<object classid=|22|clsid|3A|8AD9C840-044E-11D1-B3E9-00805F499D93|22| codebase=|22|"; fast_pattern:only; content:"<param NAME=|22|ARCHIVE|22| VALUE=|22|"; metadata:service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26253; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Impact exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code=|22|"; content:".class|22| archive=|22|"; distance:0; content:".jar|22| width=|22|1|22| height=|22|1|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2010-0188; reference:cve,2012-1723; reference:cve,2012-5076; reference:cve,2013-0422; classtype:trojan-activity; sid:26252; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:25; content:".class|22|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26233; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:"<script>p=parseInt|3B|ss=String|3B|asgq="; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26232; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,unixfreaxjp.blogspot.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html; classtype:trojan-activity; sid:26227; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"navigator.javaEnabled()"; content:"document.write(|27|"; within:100; content:"<script src=|22|"; distance:0; pcre:"/\.js\/\?[a-z]+\=[a-z]{1,4}/R"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:26226; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"<applet archive=|27|http|3A 2F 2F|"; content:"|27| code=|27|JHelper|27| width=|27|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26100; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection page"; flow:to_client,established; file_data; content:"if (navigator.appName == |27|Microsoft Internet Explorer|27|) {"; content:"document.write(|27|<applet archive=|22|http|3A|//"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26099; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"try{}catch("; content:"}try{"; within:50; content:"}catch("; within:50; content:"|3B|n=|5B|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26096; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"|3D 5B|0x9,0x9,0x2f,0x2a,0x2a,0xa,0x9,0x9,0x20,0x2a,0x20,"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html; classtype:trojan-activity; sid:26095; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page"; flow:to_client,established; file_data; content:".class|22| width=|22|10|22| height=|22|9|22|>|0D 0A|<param value=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26094; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22 20|code=|22|"; within:25; content:"|22 20|name=|22|"; within:25; content:"|22|>|0D 0A|<param name=|22|"; within:25; content:"|22 20|value=|22|http|3A 2F 2F|"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:26090; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - setup"; flow:to_server,established; content:".php?setup=d&s="; fast_pattern:only; http_uri; pcre:"/\.php\?setup=d\&s=\d+\&r=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26045; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - redirection attempt"; flow:to_server,established; content:".php?action=jv&h="; fast_pattern:only; http_uri; pcre:"/\.php\?action=jv\&h=\d+/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26044; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Instal.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26043; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats loaded"; flow:to_server,established; content:".php?action=stats_loaded"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26042; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/x4.gif"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26041; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Portable Executable download attempt"; flow:to_server,established; content:"/Plugin.cpl"; fast_pattern:only; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26040; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jmx.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jmx.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26039; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java exploit download"; flow:to_server,established; content:"/jhan.jar?r="; fast_pattern:only; http_uri; pcre:"/^\/jhan.jar?r=\d+/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26038; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - Java Exploit"; flow:to_server,established; content:"/amor"; fast_pattern; http_uri; content:".jar"; within:6; http_uri; content:" Java/"; http_header; pcre:"/^\/amor\d{0,2}\.jar/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-4681; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26036; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - java on"; flow:to_server,established; content:".php?action=stats_javaon"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26035; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit - stats access"; flow:to_server,established; content:".php?action=stats_access"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2013/02/28/slight-changes-in-crimeboss-uris/; classtype:trojan-activity; sid:26034; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit iframe redirection attempt"; flow:to_client,established; file_data; content:"try{"; content:"++}catch("; within:15; content:"{try{"; within:20; content:"}catch("; within:20; content:"=|22|"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26033; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<head><title></title></head><body><object WIDTH=|22|"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:26031; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit redirection page received"; flow:to_client,established; file_data; content:"+=|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22|+|22|0|22 3B|}catch(e){var"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:26013; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"/332.jar|22| code=|22|"; content:"/887.jar|22| code=|22|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25989; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><td><h1>Loading... Please Wait.</h1></td><script>document.write("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25988; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit three number PDF Request"; flow:to_server,established; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25972; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious payload retrieval"; flow:to_server,established; content:"/i8.php?jquery="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25824; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V5 exploit download"; flow:to_server,established; content:"/j15.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit malicious PDF retrieval"; flow:to_server,established; content:"/p5.php?t="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25822; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible plugin detection attempt"; flow:to_server,established; content:"/js/rdps.js"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaresigs.com/2012/11/27/critxpack-exploit-kit/; classtype:trojan-activity; sid:25821; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit landing page detection - specific-structure"; flow:to_client,established; file_data; content:"<title>Please Wait...</title></head><body><script>function"; fast_pattern:only; content:"<html><head>"; depth:12; metadata:service http; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:25808; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Whitehole exploit kit landing page"; flow:to_client,established; file_data; content:"<applet code"; content:".jar?java="; distance:0; content:"width="; within:15; content:"<param name="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25806; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit Java exploit retrieval"; flow:to_server,established; content:"/Java"; http_uri; content:".jar?java="; http_uri; pcre:"/\/Java([0-9]{1,2})?\.jar\?java=[0-9]{2}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25805; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Whitehole exploit kit malicious jar download attempt"; flow:to_server,established; content:"?java="; fast_pattern:only; http_uri; pcre:"/\?java\=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit encoded portable executable request"; flow:to_server,established; urilen:>40; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[0-9]{7,10}$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25802; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar file request"; flow:to_server,established; urilen:>40; content:".jar"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25801; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit Javascript request"; flow:to_server,established; urilen:>40; content:"/Qm"; http_uri; content:".js"; distance:0; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/Qm[a-zA-Z0-9]+\/[a-z]+\.js$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25800; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit pdf request"; flow:to_server,established; urilen:>40; content:".pdf"; http_uri; pcre:"/^\/[a-zA-Z0-9]{24,}\/[0-9]{9,10}\/[a-z]+\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy max-detect-ips alert, service http; reference:cve,2013-0431; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25799; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit 32-alpha jar request"; flow:to_server,established; flowbits:isset,java_user_agent; urilen:>36; content:"GET"; http_method; content:".jar"; nocase; http_uri; content:" Java/1"; http_header; pcre:"/\/[a-zA-Z0-9]{32}\.jar/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25798; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/news.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25611; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<script>try"; content:"}catch("; within:50; content:"}try{if("; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25591; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h5>Internet Explorer and Mozilla Firefox compatible only</h5><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:25590; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"<PARAM VALUE=|22|"; content:"|22| NAME=|22|CODE|22|><PARAM NAME=|22|ARCHIVE|22| VALUE=|22|"; within:50; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25569; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/q.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/q\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25568; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width=|27|0px|27| height=|27|0px|27| code=|22|"; content:"|22| archive=|22|data"; within:50; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25561; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT JDB exploit kit landing page"; flow:to_client,established; file_data; content:"setTimeout(|22|alert(|27|Adobe Flash must be updated to view this, please install the latest version!|27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25560; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT JDB exploit kit landing page retrieval"; flow:to_server,established; urilen:>33; content:"/jdb/inf.php?id="; fast_pattern:only; http_uri; pcre:"/\/jdb\/inf\.php\?id=[a-f0-9]{32}$/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.com/2013/01/peeking-at-jdb-exploit-kit-infector.html; classtype:trojan-activity; sid:25559; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit redirection"; flow:to_client,established; file_data; content:"{ var"; content:"= document.createElement(|27|iframe|27|)|3B|"; content:".src = |27|http|3A 2F 2F|"; content:"|27 3B| "; distance:0; content:".style.position = |27|absolute|27 3B|"; distance:0; content:".style.border = |27|0|27 3B| "; distance:0; content:".style.height = |27|1px|27 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:25558; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot executable retrieval attempt"; flow:to_server,established; content:"/load.php?guid="; nocase; http_uri; content:"&thread="; distance:0; nocase; http_uri; content:"&exploit="; distance:0; nocase; http_uri; content:"&version="; within:9; distance:1; nocase; http_uri; content:"&rnd="; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25540; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Red Dot java retrieval attempt"; flow:to_server,established; urilen:6; content:"/"; http_uri; content:".jar"; within:4; distance:1; http_uri; pcre:"/\/\[fx]\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25539; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Red Dot landing page"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:".jar|22| code=|22|"; within:12; distance:1; content:"width=|22|100|22| height=|22|100|22|>"; within:50; content:"<param name|22|guid"; content:"|22| value=|22|"; within:10; content:"<param name=|22|thread"; content:"|22| value=|22|"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/meet-red-dot-exploit-toolkit.html; classtype:trojan-activity; sid:25538; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit obfuscated payload download"; flow:to_client,established; flowbits:isset,java_user_agent; file_data; content:"|22 2A|"; depth:2; content:"s"; within:1; distance:2; content:"|27|"; within:1; distance:3; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html; classtype:trojan-activity; sid:25391; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<h1>Open your server</h1>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25390; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:15; distance:5; content:".class|22| width=|22|"; within:30; distance:5; content:"|22| height=|22|"; within:25; content:"<param"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:25389; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/public_version.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25388; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.exe"; flow:to_client,established; content:"filename="; http_header; content:"readme.exe"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25387; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.exe"; flow:to_client,established; content:"filename="; http_header; content:"about.exe"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25386; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.exe"; flow:to_client,established; content:"filename="; http_header; content:"calc.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25385; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.exe"; flow:to_client,established; content:"filename="; http_header; content:"contacts.exe"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25384; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.exe"; flow:to_client,established; content:"filename="; http_header; content:"info.exe"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:25383; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar archive download"; flow:established,to_client; flowbits:isset,file.jar; file_data; content:"hw.classPK"; fast_pattern:only; content:"test.classPK"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25302; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirect to malicious java archive attempt"; flow:to_client,established; file_data; content:"|3C|applet archive|3D 22 2F|read|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,57246; reference:cve,2013-0422; reference:url,malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html; classtype:attempted-user; sid:25301; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe name="; content:"=auto frameborder=no align=center height=2 width=2 src=http|3A|//"; within:75; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:25255; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit portable executable download request"; flow:to_server,established; content:" Java/"; http_header; content:"&h=11"; fast_pattern:only; http_uri; pcre:"/\&h=11$/U"; flowbits:set,file.pe.styx; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25140; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:75<>98; content:".eot"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.eot$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25139; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit pdf outbound connection"; flow:to_server,established; urilen:75<>98; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\/[a-zA-Z0-9]{76,81}\/[a-zA-Z0-9]{4,10}\.pdf$/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25138; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>150; content:".jar"; fast_pattern:only; http_uri; content:!"Cookie"; nocase; http_header; pcre:"/\/[a-zA-Z0-9]{4,10}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25137; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection"; flow:to_server,established; urilen:>100; content:"/pdfx.html"; fast_pattern:only; http_uri; pcre:"/\/pdfx\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:25136; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit outbound class retrieval"; flow:to_server,established; content:"Runs.class"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25053; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit requested - 3 digit"; flow:to_server,established; urilen:8; content:".jar"; http_uri; pcre:"/\x2f\d{3}\.jar/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25052; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page redirection"; flow:to_client,established; file_data; content:".jar|22| code=|22|Runs.class|22|><param "; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; classtype:trojan-activity; sid:25051; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Library exploit download"; flow:to_server,established; content:"/lpdf.php?i="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25048; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V7 exploit download"; flow:to_server,established; content:"/j17.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25047; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java V6 exploit download"; flow:to_server,established; content:"/j16.php?i="; fast_pattern:only; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:25046; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Collocation"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:25044; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit url structure detected"; flow:to_server,established; content:".php?"; http_uri; content:"|3A|"; within:7; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"|3A|"; within:1; distance:2; http_uri; content:"&"; distance:0; pcre:"/\.php\?[a-z]{2,8}=[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\x3a[a-z0-9]{2}\&[a-z]{2,8}=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:25043; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java User-Agent downloading Portable Executable - Possible exploit kit"; flow:to_client,established; flowbits:isset,java_user_agent; content:!"FTB_Launcher.exe"; nocase; http_header; content:"filename="; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, service http; reference:cve,2012-5076; reference:url,malware.dontneedcoffee.com/2012/11/cve-2012-5076-massively-adopted.html; classtype:trojan-activity; sid:25042; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Java User-Agent flowbit set"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:"Java/1."; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\x0d\x0a]*Java\/1\./H"; flowbits:set,java_user_agent; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:25041; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection"; flow:to_server,established; content:"/build/agrde/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24979; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound payload request"; flow:to_server,established; content:".php?j=1&k="; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.malwaredomainlist.com/mdl.php?search=build%2Fagrde&colsearch=All&quantity=50&inactive=on; classtype:trojan-activity; sid:24978; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT ProPack exploit kit outbound connection attempt"; flow:to_server,established; content:"/build2/serge/opafv.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,urlquery.net/search.php?q=build2%2Fserge&type=string&start=2012-11-22&end=2012-12-07&max=50; reference:url,www.malwaredomainlist.com/mdl.php?search=build2%2Fserge&colsearch=Domain&quantity=50&inactive=on; classtype:trojan-activity; sid:24977; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"{if(typeof"; content:"(0,1))|3B|}}return this|3B|}"; within:100; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681; classtype:trojan-activity; sid:24888; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24865; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer/Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24864; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24863; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer / Mozilla Firefox compatible only</h4><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24862; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page in an email"; flow:to_server,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24861; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<h1><b>Please wait... You will be forwarded..."; content:"</h1></b>"; within:11; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; classtype:trojan-activity; sid:24860; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit outbound JAR download attempt"; flow:to_server,established; content:"?s="; http_uri; content:"&m="; within:3; distance:1; http_uri; pcre:"/^\x2f[A-Za-z0-9]{33}\?s=\d\&m=\d$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:24841; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - JAR redirection"; flow:to_client,established; file_data; content:"<applet archive=|22|"; content:"|22| code=|22|"; within:12; distance:6; content:"|22| width|3D 22|"; within:12; distance:9; content:"|22| height|3D 22|"; within:12; content:"|0D 0A|<param"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24840; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<meta name=|22|keywords|22| content=|22 22| />"; content:"<title>Blob"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:url,malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html; classtype:trojan-activity; sid:24839; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/org.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24797; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/net.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24796; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/edu.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24795; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit Class download attempt"; flow:to_server,established; content:"/com.class"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:" Java/1."; distance:0; http_header; pcre:"/User-Agent\x3a[^\r\n]*Java\/1\./H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:24794; rev:6;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit Java Class download"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"GondadGondadExp.class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; reference:url,urlquery.net/report.php?id=222114; classtype:trojan-activity; sid:24793; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable download"; flow:to_client,established; content:" filename="; http_header; content:".exe|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.exe/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24791; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Portable Executable request"; flow:to_server,established; content:"load.php?e=u"; http_uri; content:"&token="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24790; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit download attempt"; flow:to_client,established; content:"application/pdf"; http_header; content:"Content-Disposition|3A| inline|3B| filename=p50"; http_header; content:".pdf|0D 0A|"; distance:0; http_header; pcre:"/filename=p50[a-z0-9]{9}[0-9]{12}\.pdf/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24789; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit PDF Exploit request structure"; flow:to_server,established; content:"p3.php?t=u"; http_uri; content:"&oh="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24788; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit download"; flow:to_client,established; content:" filename="; http_header; content:".jar|0D 0A|"; distance:0; http_header; pcre:"/filename\=[a-z0-9]{24}\.jar/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24787; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"j.php?t=u"; http_uri; content:"content-type"; http_header; content:"x-java-archive|0D 0A|"; distance:0; http_header; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24786; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit possible redirection attempt"; flow:to_server,established; content:"/i.php?token="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html; classtype:trojan-activity; sid:24785; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24670; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24669; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|CF EC E2 69 76 F1 35 BB 78 9B 5D FC CD 2E 1E 67 17 9F B3 8B D7 D9 C5 EF EC E2 79 76 F1 3D BB 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24668; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT KaiXin exploit kit attack vector attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|C0 B0 2F AC 50 78 D3 F3 C2 0E 4D 5F 94 8B 96 2D CC 52 DA 88 8C B4 61 A4 52 FA 06 DC C4 F1 38 63|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2011-1255; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-1889; classtype:attempted-user; sid:24667; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection successful"; flow:to_server,established; content:"/forum/links/column.php"; fast_pattern:only; http_uri; content:".ru|3A|8080|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24638; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_client,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24637; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page - specific structure"; flow:to_server,established; file_data; content:"<h4>Internet Explorer compatible only</h4><br>|0D 0A 0D 0A 0D 0A|<script>try"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24636; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_server,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24608; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received - specific structure"; flow:to_client,established; file_data; content:"<html><head><title></title></head><body><div "; depth:60; pcre:"/body\x3e\x3cdiv\s[a-z]{3}\x3d\x22[a-z]{3}\x22/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24593; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=window["; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24548; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<script>"; nocase; content:"try{"; within:20; nocase; content:"}catch("; within:20; nocase; content:"try{"; within:20; content:"}catch("; within:20; content:"=new Array("; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24547; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h3>Internet Explorer or Mozilla Firefox compatible only </h3><br>"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:24546; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page outbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24544; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole admin page inbound access attempt"; flow:to_server,established; content:"/bhadmin.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24543; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit fallback executable download"; flow:to_server,established; content:"/adobe/update_flash_player.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:24501; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown exploit kit redirection page"; flow:to_client,established; file_data; content:"<script"; nocase; content:"|3D 22|constructor|22 3B|var|20|"; distance:0; fast_pattern; nocase; content:"|27 3B|var appVersion_var|3D 22|"; distance:0; nocase; content:"].apply(document_body_var,["; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,jsunpack.jeek.org/?report=bf7e015d53808a6e94365139395d4d29e5d41840; classtype:trojan-activity; sid:24344; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; content:"&s="; distance:0; nocase; http_uri; content:"&r="; distance:0; nocase; http_uri; pcre:"/setup=[a-z]\&s=\d\&r=\d{5}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24234; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?setup="; nocase; http_uri; pcre:"/setup=[a-z]$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24233; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimeboss exploit kit outbound connection"; flow:to_server,established; content:"/cr1m3/"; fast_pattern:only; http_uri; content:"php?action="; nocase; http_uri; content:"&h="; distance:0; nocase; http_uri; pcre:"/\&h=\d{5}$/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24232; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimeboss exploit kit redirection attempt"; flow:to_client,established; file_data; content:"if(navigator.javaEnabled()) {"; content:"document.write("; within:30; content:"php?"; within:75; pcre:"/(action|setup)=[a-z]{1,4}/Ri"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:cve,2012-4681; classtype:trojan-activity; sid:24231; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page Received"; flow:to_client,established; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{10,64}&[a-z]{2,12}=.*?&[a-z]{2,12}=/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:misc-activity; sid:24228; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page received"; flow:to_client,established; file_data; content:"value="; content:"N0b09090"; within:10; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:24226; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<script>try{"; content:"++"; within:20; nocase; content:"}catch("; within:10; nocase; content:"}catch("; within:50; pcre:"/\x3cscript\x3etry\x7b\w+\x2b\x2b([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24054; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure"; flow:to_client,established; file_data; content:"<html><body><applet/code=|22|"; content:"/archive=|22|"; within:20; content:".jar"; within:20; content:"<param/nam="; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:24053; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - fewbgazr catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"fewbgazr"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/fewbgazr([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23962; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - hwehes"; flow:to_client,established; file_data; content:"hwehes"; fast_pattern:only; pcre:"/hwehes[a-z0-9]{15,22}hwehes/smi"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,jsunpack.jeek.org/dec/go?report=b50c0b809c0decade20f7f8a18116d1bdc9cd179; classtype:trojan-activity; sid:23850; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"?page="; fast_pattern:only; http_uri; pcre:"/\?page\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23849; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"profile.php?woman="; http_uri; pcre:"/profile\.php\?woman\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:23848; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole redirection page"; flow:to_client,established; file_data; content:"width|3D 27|10|27| height|3D 27|10|27| style|3D 27|visibility|3A|hidden|3B|position|3A|absolute|3B|left|3A|0|3B|top|3A|0|3B 27 3E 3C 2F|iframe|3E 22|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,www.urlquery.net/report.php?id=113788; classtype:trojan-activity; sid:23797; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.round catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.round"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2eround([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23786; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - Math.floor catch"; flow:to_client,established; file_data; content:"<script>try{"; content:"Math.floor"; within:50; nocase; content:"}catch("; within:10; nocase; pcre:"/Math\x2efloor([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:attempted-user; sid:23785; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; file_data; content:"<html><body><script>z=function(){"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:23781; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page request - tkr"; flow:to_server,established; content:".php?"; http_uri; content:"src="; distance:0; http_uri; content:"&gpr="; distance:0; http_uri; content:"&tkr="; distance:0; fast_pattern; http_uri; pcre:"/src=\d+&gpr=\d+&tkr[ib]?=/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,urlquery.net/report.php?id=90530; classtype:trojan-activity; sid:23622; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch broken"; flow:to_client,established; file_data; content:"totype"; content:"}catch("; distance:0; pcre:"/totype(\x22|\x27)([^\x7d]{1,4})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,labs.sucuri.net/?malware; classtype:attempted-user; sid:23619; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and flowbit"; flow:to_client,established; flowbits:isset,kit.redkit; file_data; content:"<applet"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23225; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit landing page Requested - 8Digit.html"; flow:to_server,established; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,kit.redkit; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23224; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and code"; flow:to_client,established; file_data; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; metadata:policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23223; rev:8;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit exploit kit landing page Received - applet and 5 digit jar attempt"; flow:to_client,established; file_data; content:"<applet"; fast_pattern:only; pcre:"/<applet[^>]+(archive|src)\s*?=\s*?(\x22|\x27|)\s*?(\d{5}\.jar|[^>]+\/\d{5}\.jar)/smi"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23222; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Redkit Jar File Naming Algorithm"; flow:to_client,established; content:"Content-Disposition: inline"; nocase; http_header; content:".jar"; fast_pattern; http_header; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; within:2; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23221; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit Requested - 5 digit jar"; flow:to_server,established; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23220; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit Java Exploit request to .class file"; flow:to_server,established; content:".class"; http_uri; pcre:"/^\/\w{1,2}\/\w{1,3}\.class$/U"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:cve,2013-2423; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; classtype:trojan-activity; sid:23219; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit Repeated Exploit Request Pattern"; flow:to_server,established,only_stream; content:"images.php?t="; fast_pattern:only; http_uri; pcre:"/^images.php\?t=\d{2,7}$/U"; detection_filter:track by_src, count 5, seconds 15; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-4681; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,snort.org/rule_docs/1-23218; classtype:trojan-activity; sid:23218; rev:11;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page download attempt"; flow:to_client,established; file_data; content:"<h"; nocase; content:"><b>Please wait a moment. You will be forwarded.."; within:54; distance:1; nocase; content:"</h"; within:10; content:"></b>|0D 0A|"; within:7; distance:1; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23159; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype-"; content:"}catch("; distance:0; pcre:"/prototype\x2d([^\x7d]{1,5})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:23158; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Pack exploit kit binary download"; flow:to_server,established; urilen:47; content:"/g/"; depth:3; http_uri; pcre:"/g\/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,snort.org/rule_docs/1-23157; classtype:trojan-activity; sid:23157; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Nuclear Pack exploit kit landing page"; flow:to_server,established; urilen:43; content:"/index.php?"; fast_pattern:only; http_uri; pcre:"/index.php\?[0-9a-f]{32}$/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection; reference:url,blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/; reference:url,snort.org/rule_docs/1-23156; classtype:bad-unknown; sid:23156; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Scripting.FileSystemObject"; flow:to_client,established; file_data; content:"StrReverse|28 22|tcejbOmetsySeliF.gnitpircS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23149; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious StrReverse - Shell"; flow:to_client,established; file_data; content:"StrReverse|28 22|llehS"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23148; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Suspicious taskkill script - StrReverse"; flow:to_client,established; file_data; content:"|22|taskkill"; content:"StrReverse"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.cse.msu.edu/~soodadit/papers/VB_2011_AKS_RJE_CONF_PRES.pdf; classtype:attempted-user; sid:23147; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fake transaction redirect page to exploit kit"; flow:to_client,established; file_data; content:"<h2>Wait your order</h2>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/spam-scams/paypal-payment-notification-leads-to-blackhole-exploit-kit.html; classtype:attempted-user; sid:23141; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SET java applet load attempt"; flow:to_client,established; file_data; content:"<applet width=|22|1|22| height=|22|1|22|"; fast_pattern; content:"<param name=|22|WINDOWS|22| value="; distance:0; nocase; content:"<param name=|22|OSX|22| value="; distance:0; nocase; content:"<param name=|22|LINUX|22| value="; distance:0; nocase; content:"<param name=|22|64|22| value="; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:23106; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole redirection attempt"; flow:to_server,established; content:"src.php?case="; http_uri; pcre:"/src.php\?case\=[a-f0-9]{16}/Usmi"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22949; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole landing redirection page"; flow:to_client,established; file_data; content:"document.location|3D 27|http|3A 2F 2F|"; content:"showthread.php?t="; distance:0; pcre:"/showthread\.php\?t\=[a-f0-9]{16}\x27\x3b/smi"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:22041; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"ype|22|].q}catch("; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,research.zscaler.com/2012/04/multiple-hijacking.html; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22040; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole suspected landing page"; flow:to_client,established; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:22039; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit landing page with specific structure - Loading"; flow:to_client,established; file_data; content:"|0D 0A 0D 0A|<h1><b>Loading...Please Wait...</b>|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21876; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - taskkill"; flow:to_client,established; file_data; content:"exec "; content:"taskkill /F /IM"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21875; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Possible exploit kit post compromise activity - StrReverse"; flow:to_client,established; file_data; content:"Createobject(StrReverse("; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:successful-user; sid:21874; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=JavaSignedApplet"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21686; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-3552"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21685; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21684; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Java-2010-0842Helper"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21683; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-90-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21682; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-80-2010-0188"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21681; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2010-2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21680; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call attempt"; flow:to_server,established; content:".php?e=Adobe-2010-1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21679; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:".php?e=Adobe-2008-2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:21678; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Java exploit kit iframe drive by attempt"; flow:to_client,established; file_data; content:"function(p,a,c,k,e,d){e=function(c)"; nocase; content:"morale.class"; distance:0; nocase; metadata:service http; reference:cve,2011-3544; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+ThreatBlog%29; classtype:attempted-user; sid:21668; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - catch"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"}catch(qq"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:attempted-user; sid:21661; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Index/index.php"; flow:to_server,established; content:"/Index/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; reference:url,sophosnews.files.wordpress.com/2012/03/blackhole_paper_mar2012.pdf; classtype:trojan-activity; sid:21660; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21659; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<span style=|22|display:none|3B 22|>safsaf(|27|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21658; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page - specific structure"; flow:to_client,established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><applet/"; content:"archive="; distance:0; content:"code="; distance:0; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21657; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:16;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Phoenix exploit kit landing page"; flow:to_client,established; file_data; content:"String.fromCharCode"; nocase; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; fast_pattern:only; content:".jar|27|"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2008-5353; reference:cve,2009-0927; reference:cve,2009-3867; reference:cve,2009-4324; reference:cve,2010-0188; reference:cve,2010-0248; reference:cve,2010-0840; reference:cve,2010-0842; reference:cve,2010-0866; reference:cve,2010-1240; reference:cve,2010-1297; reference:cve,2011-2110; reference:cve,2011-2140; reference:cve,2011-2371; reference:cve,2011-3544; reference:cve,2011-3659; reference:cve,2012-0500; reference:cve,2012-0507; reference:cve,2012-0779; classtype:attempted-user; sid:21640; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - BBB"; flow:to_client,established; file_data; content:"<h2>BBB loading to show your URGENT complain status.</h2>"; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21581; rev:9;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h3>Page is loading, please wait..</h3>"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21549; rev:8;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific header"; flow:to_client,established; file_data; content:"<h1>Loading ... Please Wait.... </h1>"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21539; rev:8;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit logo transfer"; flow:to_client, established; flowbits:isset,file.jpeg; file_data; content:"|FB 27 68 DE 2D D6 BF E0 AC BF B5 82 78 7B 5C F0|"; content:"|AE 6E 3C CD EE AE BF 33 F5 0F 58 D5 2D 74 3D 2A|"; distance:0; content:"|04 67 82 31 5F 1F 7F C1 62 A7 D4 EC FC 71 FB 31|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:string-detect; sid:21510; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit rhino jar request"; flow:to_client,established; file_data; content:"archive='rhin.jar'"; content:"archive='Goo.jar'"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,xylibox.blogspot.com/2012/01/another-sakura-kit.html; classtype:attempted-user; sid:21509; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"try"; content:"prototype"; within:30; content:"}catch("; within:30; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:22;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - search.php?page="; flow:to_server, established; content:"/search.php?page="; http_uri; pcre:"/search\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21348; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - .php?page="; flow:to_server, established; content:".php?"; http_uri; pcre:"/\.php\?[^=]+?=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21347; rev:11;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar download"; flow:to_client, established; flowbits:isset,blackhole.jar; content:"nginx"; http_header; content:"application/java-archive"; fast_pattern:only; http_header; file_data; content:"Main.class"; content:"Main.classPK"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21346; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit malicious jar request"; flow:to_server, established; content:"content/rin.jar"; fast_pattern:only; http_uri; flowbits:set,blackhole.jar; flowbits:noalert; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21345; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit pdf download"; flow:to_client, established; flowbits:isset, blackhole.pdf; content:"application/pdf"; fast_pattern:only; http_header; file_data; content:"arr="; pcre:"/\d+(.)\d+\1\d+\1\d+\1\d+\1\d+\1/"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21344; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit pdf request"; flow:to_server,established; content:"adp"; fast_pattern; http_uri; content:".php?"; within:5; distance:1; nocase; http_uri; pcre:"/adp\d?\.php\?[fe]=/U"; flowbits:set,blackhole.pdf; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:suspicious-filename-detect; sid:21343; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit response"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"window.document"; fast_pattern:only; content:"split"; pcre:"/\d{1,3}(.)\d{1,3}\1\d{1,3}\1\d{1,3}\1\d{1,3}\1/"; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21259; rev:5;)
# alert tcp any $HTTP_PORTS -> any any (msg:"EXPLOIT-KIT Blackhole exploit kit control panel access"; flow:to_client, established; file_data; content:"charset=utf-8|22|/><title>Blackhole v."; pcre:"/[\d\.]+<\/title>/R"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:policy-violation; sid:21141; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT unknown exploit kit obfuscated landing page"; flow:to_client, established; file_data; content:"[]]}|7C|}{$$$$]}$]]}]]$|7C|$}$]$+]}]/$/]/${$$]$]]]]])$)$|7C|]/$+"; fast_pattern:only; metadata:policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,blog.talosintel.com/2012/02/exploit-kit-was-sent-to-you.html; classtype:attempted-user; sid:21108; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit malicious pdf request"; flow:to_server, established; content:"/pdf.php?pdf="; http_uri; pcre:"/pdf\.php\?pdf=[0-9A-F]+&type=\d+&o=[^&]+&b=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21099; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit landing page"; flow:to_client, established; file_data; content:"charCodeAt(0)+13)?c:c-26)|3B|}).replace(/@/g,'A').replace(/!/g,'B').replace(/#/g,'C')"; fast_pattern:only; content:"= 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='|3B|"; pcre:"/var ([^\s]+) = ''\x3Bvar ([^,]+), ([^,]+).*\1 = \1 \+ String\.fromCharCode\(\2\).*\!= 64\) \{ \1 = \1 \+ String\.fromCharCode\(\3\)\x3b\}.*\x3breturn unescape\(\1\)\x3b\}return 0\x3b\}/R"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:attempted-user; sid:21098; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Crimepack exploit kit post-exploit download request"; flow:to_server, established; content:"/load.php?spl="; http_uri; pcre:"/^\/load\.php\?spl=[^&]+&b=[^&]+&o=[^&]+&i=/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:successful-user; sid:21097; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Crimepack exploit kit control panel access"; flow:to_client, established; file_data; content:"<title>CRiMEPACK "; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0806; classtype:policy-violation; sid:21096; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit post-exploit page request"; flow:to_server, established; content:"load.php?spl="; fast_pattern:only; http_uri; pcre:"/load\.php\?spl=(Spreadsheet|DirectX_DS|MS09-002|MS06-006|mdac|RoxioCP v3\.2|wvf|flash|Opera_telnet|compareTo|jno|Font_FireFox|pdf_exp|aol|javad|ActiveX_pack)/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21071; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit pdf exploit page request"; flow:to_server, established; content:"?spl=2"; fast_pattern:only; http_header; content:"/pdf.php"; http_uri; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21070; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Eleanore exploit kit exploit fetch request"; flow:to_server, established; content:"?spl="; fast_pattern:only; http_header; pcre:"/\?spl=\d&br=[^&]+&vers=[^&]+&s=/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21069; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Eleanore exploit kit landing page"; flow:to_client, established; file_data; content:"X-Powered-By|3A| PHP/5.2.0|0D 0A|Content-type|3A| text/html|0D 0A 0D 0A|?>X-Powered-By|3A| PHP/5.2.0|0D 0A|"; content:"?>X-Powered-By: PHP/5.2.0"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2008-2463; reference:cve,2010-0188; reference:cve,2010-0806; reference:cve,2010-0840; reference:cve,2010-1885; reference:cve,2010-4452; reference:cve,2011-0558; reference:cve,2011-0559; reference:cve,2011-0611; reference:cve,2011-2462; reference:cve,2011-3521; reference:cve,2011-3544; reference:url,krebsonsecurity.com/2010/01/a-peek-inside-the-eleonore-browser-exploit-kit/; classtype:trojan-activity; sid:21068; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>|0D 0A|if(window.document)"; fast_pattern:only; pcre:"/(,\d{1,3}){20}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21045; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page"; flow:to_client, established; flowbits:isset,kit.blackhole; file_data; content:"<html><body><script>"; content:"new Date().getDay"; fast_pattern:only; pcre:"/(#\d{1,2}){20}/"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21044; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?e="; flow:to_server, established; content:".php?e="; http_uri; pcre:"/\/[a-z]\.php\?e=[\da-f]+&f=[\da-f]+$/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21043; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit post-compromise download attempt - .php?f="; flow:to_server, established; content:".php?f="; http_uri; pcre:"/\/[a-z]\.php\?f=[\da-f]+&e=[\da-f]+$/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21042; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit URL - main.php?page="; flow:to_server, established; content:"/main.php?page="; http_uri; pcre:"/main\.php\?page=[a-f0-9]{16}$/U"; flowbits:set,kit.blackhole; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:attempted-user; sid:21041; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - w.php?f="; flow:to_server,established; content:"/w.php?f="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584/analysis/; classtype:trojan-activity; sid:20669; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI - /content/v1.jar"; flow:to_server,established; content:"/content/v1.jar"; nocase; http_uri; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/52d5b9afeb36a048f139923e57fa3ba0fa6d0f02f8ceb1224ac834ca72932584/analysis/; classtype:trojan-activity; sid:20668; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT URI request for known malicious URI /stat2.php"; flow:to_server,established; content:"/stat2.php?w="; nocase; http_uri; content:"i="; distance:0; nocase; http_uri; pcre:"/stat2\.php\?w=\d+\x26i=[0-9a-f]{32}\x26a=\d+/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf; reference:url,www.virustotal.com/en/file/567e2dcde3c182056ef6844ef305e1f64d4ce1bf3fa09d8cdc019cca5e73f373/analysis/; reference:url,www.virustotal.com/file/8380bd105559643c88c9eed02ac16aef82a16e62ef82b72d3fa85c47b5441dc7/analysis/; classtype:trojan-activity; sid:20558; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Portable Executable downloaded when mp3 is declared"; flow:to_client,established; content:"filename="; http_header; content:"mp3"; within:25; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27005; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Momomo.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27109; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit malicious jar file downloaded when exe is declared"; flow:to_client,established; content:"filename="; http_header; content:"exe"; within:25; nocase; http_header; content:"|0D 0A|"; within:4; http_header; file_data; content:"PK"; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27108; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"|00|Han.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27107; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Bjisad.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27106; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit rhino remote code execution exploit download - autopwn"; flow:to_server,established; content:"/rhino/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27084; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit jmxbean remote code execution exploit download - autopwn"; flow:to_server,established; content:"/jmxbean/1.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27083; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit flash remote code execution exploit download - autopwn"; flow:to_server,established; content:"/flash_atf/"; fast_pattern; http_uri; content:".swf"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-1535; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27082; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Internet Explorer exploit download - autopwn"; flow:to_server,established; content:"/ie_exec/2.html"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-4969; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27081; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nailed exploit kit Firefox exploit download - autopwn"; flow:to_server,established; content:"/ff_svg/1.bin"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2013-0757; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27080; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page stage 2"; flow:to_client,established; file_data; content:"global_exploit_list[exploit_idx].resource"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27079; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nailed exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"<html > <head > <title > Loading"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:27078; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>32; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27072; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackhole exploit kit landing page retrieval"; flow:to_server,established; urilen:>16; content:"/a.php"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{16}\/a\.php/U"; content:!"siteadvisor.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27071; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious portable executable download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"c|3A 5C|Soft|5C|cebhlpod.txt"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27069; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit malicious jar file download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Tretre.class"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27068; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"}catch(qwqw){"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3402; reference:cve,2012-0507; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,2013-0431; reference:cve,2013-0634; reference:cve,2013-1493; reference:cve,2013-2423; classtype:trojan-activity; sid:27067; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<link href=|27|"; content:".css|27| rel=|27|stylesheet|27|><link href=|27|"; within:100; content:"{a={plugins|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27026; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"|27| value=|27|JTIw"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27143; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:"<html><head><script type=|27|text/javascript|27| src=|22|js/PluginDetect.js|22|>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27142; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit landing page"; flow:to_client,established; file_data; content:".value|3B| |09| var"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,malwaresigs.com/2013/07/03/another-unknown-ek/; classtype:trojan-activity; sid:27141; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Private exploit kit numerically named exe file dowload"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:4; distance:4; http_header; pcre:"/filename\=\d{4}\.exe$/H"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27140; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"counter.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:27242; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page detected"; flow:to_client,established; file_data; content:"<OBJECT CLASSID=|22|clsid|3A|5852F5ED-8BF4-11D4-A245-0080C6F74284|22| width=|22|1|22| height=|22|1|22|><PARAM name=|22|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27241; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit Java Exploit request structure"; flow:to_server,established; content:"/rhino.php?hash="; fast_pattern:only; http_uri; content:"content-type"; http_header; content:"java-archive"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27274; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit iframe redirection"; flow:established,to_client; file_data; content:"<iframe style=|22|position|3A|fixed|3B|top|3A|0px|3B|left|3A|-550px|3B 22| src="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27273; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT iFramer toolkit injected iframe detected - specific structure"; flow:to_client,established; file_data; content:"}catch(dgsgsdg"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27271; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"try{++((document.body))}catch(va){if("; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27603; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:" = jref[ind](nip[|22|charAt|22|](i))|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27602; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit successful Java exploit"; flow:to_server,established; content:"?id="; http_uri; content:"&text="; distance:0; fast_pattern; http_uri; content:" Java/1."; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27697; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:"</title>|0A|</head>|0A|<body>|0A|<script src="; content:"jquery.js"; within:9; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27696; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Kore exploit kit landing page"; flow:to_client,established; file_data; content:".jnlp|22| /><param name=|22 27|+"; content:"+|27|_embedded|22|"; content:".zip|22| width=|22|10|22|><param name=|22|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2471; reference:url,malware.dontneedcoffee.com/2013/08/cve-2013-2465-integrating-exploit-kits.html; classtype:trojan-activity; sid:27695; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection page"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|top|3A|-1000px|3B|left|3A|-1000px|3B|text-indent|3A|-1000|3B|width|3A|1px|3B|height|3A|1px|3B|"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27715; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--f04d6c0ecc742ce800a316c742197c6evdrd33vf5rmf60vx-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27713; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit redirection injection"; flow:to_client,established; file_data; content:"<!--4db55aefd91c498bc4dd1eddca98a4b5lfvknc5uxdf4g3sa-->"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:27712; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit possible jar download"; flow:to_client,established; flowbits:isset,file.jpeg|file.png|file.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27706; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/wmck.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27705; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Gong Da exploit kit Java exploit requested"; flow:to_server,established; content:"/ckwm.jpg"; fast_pattern:only; http_uri; content:" Java/1"; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27704; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"ck_wm.indexOf(|22|linux|22|)<=-1"; content:"+expires.toGMTString()|3B|"; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27702; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Oracle Java Jar file downloaded when zip is defined"; flow:to_client,established; content:"filename="; http_header; content:".zip|0D 0A|"; distance:0; http_header; file_data; content:"PK"; depth:2; content:".class"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26292; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Zip file downloaded by Java"; flow:to_server,established; content:".zip"; nocase; http_uri; content:" Java/1"; fast_pattern:only; http_header; flowbits:set,file.exploit_kit.jar; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:misc-activity; sid:27741; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit redirection page"; flow:to_client,established; file_data; content:"|2A 2F|height=|22|"; content:"|22| code=|22|"; within:25; distance:1; content:".class|22| |2F 2A| "; distance:0; fast_pattern; content:".zip|22| width=|22|"; distance:0; content:"|22|><param name=|22|"; within:25; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27739; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<iframe style=|22|position|3A|fixed|3B|top|3A|"; content:"px|3B|left|3A|"; within:25; distance:1; content:"|22| height=|22|"; distance:0; content:"|22| width=|22|"; within:25; content:"></iframe>|27|"; within:25; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27738; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - specific structure"; flow:to_client,established; file_data; content:"/*/0f2490*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27734; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT IFRAMEr Tool embedded javascript attack method - generic structure"; flow:to_client,established; file_data; content:"try|7B 3B 7D|catch("; content:"){try{"; within:30; metadata:policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27733; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit plugin detection page"; flow:to_client,established; file_data; content:"$(document).ready("; content:"=PluginDetect.getVersion,"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27783; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit malicious redirection attempt"; flow:to_server,established; content:"/n.php?h="; content:"&s="; distance:0; http_uri; pcre:"/\x2fn\.php\?h=[a-zA-Z0-9]*?\&s=[a-zA-Z0-9]{1,5}$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27815; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:7; content:"/i.html"; depth:7; fast_pattern; http_uri; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27814; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page with payload"; flow:to_client,established; file_data; content:"document.write(|27|<applet archive=|22|"; content:".jar|22| code=|22|"; within:50; content:"|22|><param value=|22|http|3A 2F 2F|"; content:!"|22|"; within:60; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27813; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit redirection"; flow:to_server,established; content:"/8jxtl5i/"; depth:9; http_uri; urilen:>63; pcre:"/\x2f\?[0-9a-f]{60,66}[\x3b\d]*$/U"; metadata:service http; classtype:trojan-activity; sid:27810; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:27907; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - readme.dll"; flow:to_client,established; content:"filename="; http_header; content:"readme.dll"; within:12; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27898; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - calc.dll"; flow:to_client,established; content:"filename="; http_header; content:"calc.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27897; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - contacts.dll"; flow:to_client,established; content:"filename="; http_header; content:"contacts.dll"; within:13; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27896; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - info.dll"; flow:to_client,established; content:"filename="; http_header; content:"info.dll"; within:9; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27895; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Payload detection - about.dll"; flow:to_client,established; content:"filename="; http_header; content:"about.dll"; within:10; fast_pattern; http_header; content:"|0D 0A|"; within:4; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,blog.webroot.com/2011/10/31/outdated-operating-system-this-blackhole-exploit-kit-has-you-in-its-sights/; classtype:trojan-activity; sid:27894; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27893; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader"; flow:to_server,established; content:"/a.php?e=2992"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2008-2992; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27892; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/p1.exe"; fast_pattern:only; http_uri; content:"p1.exe HTTP/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27891; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit secondary payload"; flow:to_server,established; content:"/m1.exe"; fast_pattern:only; http_uri; pcre:"/\/m1\.exe$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27890; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27889; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27888; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27887; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/download_file.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27886; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit payload download"; flow:to_server,established; content:"/dl.exe"; fast_pattern:only; http_uri; content:"dl.exe HTTP/"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Oracle Java"; flow:to_server,established; content:"/TobyClass.jar"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27883; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=2884"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-2884; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27882; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Flash Player"; flow:to_server,established; content:"/a.php?e=1297"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-1297; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27881; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 9"; flow:to_server,established; content:"/a.php?e=900188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27880; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Teletubbies exploit kit exploit attempt for Adobe Acrobat Reader 8"; flow:to_server,established; content:"/a.php?e=800188"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malwageddon.blogspot.com/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:27879; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"(z){h=|22|harCode|22 3B|f=["; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27878; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit landing page"; flow:to_client,established; file_data; content:"[|22|s|22|+|22|u|22|+|22|bs|22|+|22|t|22|+|22|r|22|]"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27877; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download"; flow:to_client,established; content:"Content-Type|3A 20|audio/mpeg"; fast_pattern:only; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27876; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Kore exploit kit outbound payload download attempt"; flow:to_server,established; content:".html1.zip"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27873; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit portable executable download"; flow:to_client,established; flowbits:isset,file.pe.styx; content:"filename="; http_header; content:".exe"; within:4; distance:11; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27936; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"for("; content:"=0|3B|"; within:15; content:".innerHTML.length|3B|"; content:"+=2)"; within:15; pcre:"/for\x28(?P<var>\w+)=0\x3b(?P=var)<(?P<var2>\w+)\.innerHTML.length\x3b(?P=var)\+=2\x29\x20\w+\+=\w+\x28(?P=var2)/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27935; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>notredkit<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27912; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>X2O<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27911; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit successful redirection"; flow:to_client,established; file_data; content:"<iframe src=|27|http|3A 2F 2F|"; content:"|3A|8509|2F|"; distance:0; fast_pattern; content:"|27| border=0 width="; distance:0; content:"height="; within:25; content:"scrolling=no></iframe>"; within:50; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28038; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Popads/Nuclear exploit kit jnlp request"; flow:to_server,established; urilen:71; content:".jnlp"; http_uri; content:"User-Agent|3A 20|JNLP"; fast_pattern:only; http_header; pcre:"/^\/[a-z0-9]{32}\/[a-z0-9]{32}\.jnlp/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28029; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28028; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http; classtype:trojan-activity; sid:28026; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - IFRAMEr injection tool"; flow:to_client,established; file_data; content:"p=parseInt|3B|ss=String|3B|asgq=|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28022; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"relay.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28021; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"rel.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28020; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"esd.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28019; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"count.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28018; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"cnt.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28017; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT embedded iframe redirection - possible exploit kit indicator"; flow:to_client,established; file_data; content:"clicker.php|22| style=|22|visibility|3A| hidden|3B| position|3A| absolute|3B| left|3A| 0px|3B| top|3A| 0px|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:28016; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT g01pack exploit kit redirection attempt"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|22| style=|22|border|3A|0px #FFFFFF none|3B 22| name=|22|test|22|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28015; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit post Java compromise download attempt"; flow:to_server,established; urilen:35; content:" Java/1."; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[0-9]$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28111; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:70; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28109; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Adobe Flash exploit download attempt"; flow:to_server,established; urilen:70; content:".swf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28108; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana exploit kit redirection attempt"; flow:to_server,established; content:".js?cp="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{8}\.js\?cp\x3d/Umi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28138; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/JavaSignedApplet.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28199; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-3552.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28198; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842Helper.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28197; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit module call"; flow:to_server,established; content:"/Java-2010-0842.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.opensc.ws/malware-samples-information/12241-bleeding-life-v2-offical-download-braduz-opensc-ws.html; classtype:attempted-user; sid:28196; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT X2O exploit kit post java exploit download attempt"; flow:to_server,established; urilen:13; content:"/blog/"; http_uri; content:" Java/1."; fast_pattern; http_header; pcre:"/^\/blog\/[a-zA-Z0-9]{3}\.(g(3|e)d|mm|vru|be|nut)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28195; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT X2O exploit kit landing page"; flow:to_client,established; file_data; content:"<table>Adikj<applet><param name"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28194; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection received"; flow:to_client,established; file_data; content:"<iframe src=|22|http|3A 2F 2F|"; content:"|3A|85|2F|"; within:30; content:"|22| width=|22|0|22|"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28213; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kits malicious pdf download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pdf; file_data; content:"%PDF-"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:28238; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit outbound pdf download attempt"; flow:to_server,established; content:".pdf"; fast_pattern; http_uri; content:"Referer|3A|"; http_header; pcre:"/\/[0-9a-f]{32}\/[0-9]{10}\.pdf$/U"; pcre:"/Referer\x3a.*?\.html\x0d\x0a/H"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:28237; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude/Nuclear exploit kit landing page"; flow:to_client,established; file_data; content:"</adress><br>"; content:"<cite>"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28236; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28233; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:28291; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page attempt"; flow:to_server,established; content:".php?catalogp="; fast_pattern:only; pcre:"/\.php\?catalogp\=\d{2}$/U"; content:"Referer"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28265; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit java compromise successful"; flow:to_server,established; content:".php?"; http_uri; content:"&special="; distance:0; http_uri; content:"&alert="; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28264; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=rhi"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2011-3544; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28310; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Adobe Reader compromise"; flow:to_server,established; content:".php?ex=ad"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:!"&os="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28308; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Himan exploit kit landing page"; flow:to_client,established; file_data; content:"if ((jver >= 600) && (jver < 627)) {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-2465; reference:cve,2013-2551; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28307; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear/Magnitude exploit kit Oracle Java exploit download attempt"; flow:to_server,established; urilen:81; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28414; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt"; flow:to_client,established; file_data; content:"element.style.left=|27|-"; content:"px|27 3B|element.style.top=|27|-"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:28413; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".ee"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.ee$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28449; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\/\d\.zip$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; content:".tpl"; fast_pattern:only; http_uri; pcre:"/\/[a-f0-9]{32}\/\d{10}\/[a-f0-9]{32}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2551; classtype:trojan-activity; sid:28424; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit single digit exe detection"; flow:to_client,established; content:"filename="; http_header; content:".exe"; within:6; fast_pattern; http_header; pcre:"/filename=[\x22\x27]?\d\.exe[\x22\x27]?/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28423; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; fast_pattern; http_uri; pcre:"/^\/i.html\?[a-z0-9]{4}\x3D[a-z0-9]{15}/smiU"; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:125; http_header; content:"|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28478; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound pdf request"; flow:to_server,established; urilen:<25; content:".pdf"; http_uri; content:"/i.html?"; fast_pattern:only; http_header; content:"Referer|3A|"; http_header; content:!"|0D 0A|"; within:100; http_header; content:"|0D 0A|"; distance:0; http_header; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:28477; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request by Java - generic detection"; flow:to_server,established; urilen:21<>39; content:":8000"; fast_pattern:only; http_header; content:" Java/1."; http_header; pcre:"/\/[a-z]+\?[a-z]+\=[a-z]+$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28476; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:":8000/"; fast_pattern:only; http_header; content:"Referer"; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28475; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download attempt"; flow:to_server,established; urilen:15; content:"/1"; depth:2; fast_pattern; http_uri; pcre:"/^\/1[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:!"Referer"; http_header; content:!"Host|3A| fb.me|0D 0A|"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28616; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download attempt"; flow:to_server,established; urilen:15; content:"/0"; depth:2; fast_pattern; http_uri; pcre:"/^\/0[a-z]{0,13}[0-9]{0,12}[a-z][a-z0-9]{1,11}$/U"; content:"User-Agent|3A|"; http_header; content:!"Referer"; http_header; flowbits:set,file.exploit_kit.jar; flowbits:set,file.exploit_kit.silverlight; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28615; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"type=|22|application/x-silverlight-2|22|"; content:"<param name=|22|source|22| value=|22|/0"; distance:0; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28614; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - specific-structure"; flow:to_client,established; file_data; content:"<title>|0D 0A 20 20|Microsoft apple.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28613; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit Silverlight exploit download"; flow:to_client,established; flowbits:isset,file.exploit_kit.silverlight; file_data; content:"PK"; content:"AppManifest.xaml"; distance:0; content:".dll"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/10/paunch-arrestationthe-end-of-era.html; classtype:trojan-activity; sid:28612; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit outbound connection attempt"; flow:to_server,established; urilen:<25; content:".rtf"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.rtf$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28611; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retreive attempt"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-zA-Z_-]+\.doc$/U"; flowbits:set,file.sakura_kit; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:28610; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit obfuscated exploit payload download"; flow:to_client,established; flowbits:isset,file.sakura_kit; file_data; content:"secretsecretsecretsecretsecretsecret"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28609; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sakura exploit kit Atomic exploit download - specific-structure"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"Main-Class|3A| atomic.Atomic"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28596; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Oracle Java jar file retrieval"; flow:to_server,established; urilen:25<>26,norm; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d{9,10}\/1\d{9}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28595; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Microsoft Internet Explorer vulnerability request"; flow:to_server,established; urilen:26,norm; content:".tpl"; fast_pattern:only; http_uri; pcre:"/^\/\d{10}\/\d{10}\.tpl$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28594; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28593; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit possibly malicious iframe embedded into a webpage"; flow:to_client,established; file_data; content:"name=Twitter scrolling=auto frameborder=no align=center height="; content:" width="; within:20; content:" src=http|3A 2F 2F|"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28798; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit binkey xored binary download attempt"; flow:to_client,established; file_data; content:"binkeybinkeybinkeybinkeybinkeybinkey"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28797; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT iFRAMEr successful cnt.php redirection"; flow:to_server,established; content:"/cnt.php?id="; fast_pattern:only; http_uri; content:"Referer|3A 20|"; http_header; pcre:"/^\/cnt\.php\?id=\d+$/U"; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28796; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit initial outbound request - generic detection"; flow:to_server,established; urilen:20<>36,norm; content:"GET"; http_method; content:"Host|3A|"; http_header; content:":8000"; within:55; http_header; content:"Referer"; http_header; pcre:"/\x2f[a-z]+\?[a-z]+=\d{6,7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28911; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28969; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound flash exploit retrieval attempt"; flow:to_server,established; content:"/fla.swf"; fast_pattern:only; http_uri; content:"x-flash-version|3A 20|"; http_header; pcre:"/Referer\x3a[^\n]*fla\.php\?wq=[a-f0-9]+\x0d\x0a/H"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28968; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound exploit retrieval connection"; flow:to_server,established; urilen:>100; content:".php?hgfc="; fast_pattern:only; http_uri; pcre:"/\.php\?hgfc\=[a-f0-9]+$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:28967; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound POST connection"; flow:to_server,established; content:"POST"; http_method; content:"hyt="; depth:4; http_client_body; content:"&vre="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT HiMan exploit kit Flash Exploit landing page"; flow:to_client,established; file_data; content:"flash_version != null && flash_version[0] < 116000"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:28963; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit jar exploit download"; flow:to_server,established; content:".html?jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\.html\?jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29003; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT SPL2 exploit kit Silverlight plugin outbound connection attempt"; flow:to_server,established; content:"html?sv="; fast_pattern:only; http_uri; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29002; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SPL2 exploit kit landing page detection"; flow:to_client,established; content:"$$.getVersion(|22|Silverlight|22|)|3B|"; content:"$$.getVersion(|22|Java|22|)"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit PDF exploit retrieval attempt"; flow:to_server,established; urilen:<16; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/\d{1,2}(?P<letter>[A-Z])\d{1,2}(?P=letter)\d{1,2}(?P=letter)\d{1,2}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29131; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload download attempt"; flow:to_server,established; urilen:13; content:" Java/1."; fast_pattern:only; http_header; pcre:"/^\/\d{4}\/\d{7}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29130; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit jar exploit download - specific structure"; flow:to_server,established; content:"/hanger.jar"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29129; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2012-4681; reference:cve,2013-0431; classtype:trojan-activity; sid:29128; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit XORed payload download attempt"; flow:to_client,established; file_data; content:"|7C 68 A3 34 36 36 37 38 35 32 33 34 CA C9 37 38|"; depth:16; metadata:impact_flag red, policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0074; reference:cve,2013-0634; reference:cve,2013-3896; reference:url,malware.dontneedcoffee.com/2013/12/cve-2013-5329-or-cve-2013-5330-or.html; classtype:trojan-activity; sid:29066; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29166; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound jar request"; flow:to_server,established; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-f0-9]{32}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29165; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound flash request"; flow:to_server,established; content:".swf"; http_uri; content:"x-flash-version|3A|"; http_header; content:"Referer"; http_header; content:"flash.php?id="; distance:0; http_header; pcre:"/\/[a-f0-9]{32}\.swf$/U"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29164; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound exploit request"; flow:to_server,established; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=[a-f\d]{20}/iU"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf; metadata:policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29163; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29189; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit embedded open type font file request"; flow:to_server,established; urilen:37; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/U"; metadata:service http; classtype:trojan-activity; sid:29188; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound pdf request"; flow:to_server,established; urilen:<27; content:".pdf"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[\w_]{32,}\.html\r$/Hsm"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:29187; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound connection"; flow:to_server,established; urilen:<28; content:"/1"; http_uri; content:".htm"; distance:0; http_uri; content:"Referer"; http_header; content:".html"; distance:0; http_header; pcre:"/^(\/\d{8,11})?(\/\d)?\/1[34]\d{8}\.htm$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"nib|28 27|http|3A 2F 2F|"; content:".mp3|27 29 3B|"; within:25; distance:10; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29361; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"4Um3S0Vm3"; depth:15; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:29360; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit eot outbound connection"; flow:to_server,established; urilen:>100; content:".eot"; fast_pattern:only; http_uri; content:"Referer"; http_header; content:!"|0D 0A|"; within:100; content:"/fnts.html"; distance:0; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29453; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit landing page request"; flow:to_server,established; urilen:>100; content:"/i.html?"; depth:8; http_uri; pcre:"/\/i\.html\?[a-z0-9]+\=[a-zA-Z0-9]{25}/U"; flowbits:set,styx_landing; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29452; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit outbound connection attempt"; flow:to_server,established; content:"/?id=ifrm"; fast_pattern:only; http_header; content:"/?"; depth:2; http_uri; pcre:"/\/\?[a-z0-9]{9}\=[a-zA-Z0-9]{45}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29450; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; flowbits:isset,styx_landing; file_data; content:"<textarea id=|22|"; content:"|22|>"; within:10; isdataat:300,relative; content:!"</textarea>"; within:300; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29449; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Styx exploit kit landing page"; flow:to_client,established; file_data; content:"document.write(|27|<app|27|+|27|let archive=|22|"; content:".jar|22| code=|22|"; distance:0; content:"<param val|27|+|27|ue=|22|http|3A 2F 2F|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29448; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit payload download - scandsk.exe"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"scandsk.exe|0D 0A|"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:29447; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit jar outbound connection"; flow:to_server,established; urilen:>100; content:".jar"; fast_pattern:only; http_uri; content:"Cookie"; http_header; content:!"|0D 0A|"; within:100; content:" Java/1"; http_header; pcre:"/\.jar$/Ui"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; reference:url,malwaresigs.com/2012/12/19/styx-exploit-kit/; classtype:trojan-activity; sid:29446; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit fonts download page"; flow:to_server,established; content:"/fnts.html"; fast_pattern:only; http_uri; pcre:"/\/fnts\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:29445; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit flashplayer11 payload download"; flow:to_client,established; content:"flashplayer11_"; http_header; file_data; content:"MZ"; depth:2; metadata:service http; classtype:trojan-activity; sid:29444; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|7D 6B F8 64 76 74 6E 66|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29414; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E F2 32 30 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:29413; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit Java download attempt"; flow:to_server,established; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_-]{48}$/Ui"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:29412; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page"; flow:to_client,established; file_data; content:"navigator.userAgent.indexOf(|27|Firefox|27|)>=0|7C 7C|navigator.userAgent.indexOf(|27|MSIE|27|)>=0))"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:29411; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java v1.6.32 and older"; flow:to_server,established; content:".php?a=h7"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30009; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 8 on Windows XP"; flow:to_server,established; content:".php?a=h6"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30008; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 7 on Windows XP with Java before v1.7.17 "; flow:to_server,established; content:".php?a=h5"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30007; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Microsoft Internet Explorer 6 on Windows XP"; flow:to_server,established; content:".php?a=h4"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30006; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Google Chrome with Java before v1.7.17"; flow:to_server,established; content:".php?a=h3"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30005; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit - exploit targeting Java before v1.7.17"; flow:to_server,established; content:".php?a=h2"; http_uri; content:".php?a=h1&f="; fast_pattern:only; http_header; content:"&u=Mozilla"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30004; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit Java download attempt"; flow:to_server,established; content:".php?a=r"; fast_pattern:only; http_uri; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30002; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit landing page detected"; flow:to_client,established; file_data; content:"document.createElement(|22|iframe|22|)"; fast_pattern:only; content:".width"; content:".height"; content:".style.visibility"; within:50; content:".php"; within:300; content:".appendChild("; within:500; pcre:"/var\s(?P<name>\w+)\s?=\s?document\.createElement\x28\x22iframe\x22\x29.*?(?P=name)\.style\.visibility.*?(?P=name)\.src\s?=\s?[\x22\x27][^\x22\x27]*\.php.*?\.appendChild\x28(?P=name)\x29/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2011-1255; reference:cve,2013-1489; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30001; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit malicious payload delivery - specific string"; flow:to_client,established; content:"filename="; http_header; content:"very.mhh"; within:12; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30134; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Stamp exploit kit landing page"; flow:to_client,established; file_data; content:"frameborder=|22|NO|22| framespacing=|22|0|22| border=|22|0|22|><frame name="; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30133; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30220; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound jar request"; flow:to_server,established; content:"/1"; http_uri; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^(?:\/\d{9,10})?(?:\/\d)?\/1[34]\d{8}\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30219; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Zuponcic exploit kit Oracle Java file download"; flow:to_client,established; content:"filename="; nocase; http_header; content:"FlashPlayer.jar"; within:17; fast_pattern; http_header; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/9324faaed6c7920f1721b60f81e1b04fbe317dedf9974bdfa02d8fcd1f0be18f/analysis/; classtype:trojan-activity; sid:25764; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30319; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"<html><th>Wait Please...</th><body>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30317; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:".xml|22| name=|22|jnlp_href|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30316; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT WhiteLotus exploit kit plugin outbound detection"; flow:to_server,established; urilen:32; content:"POST"; http_method; content:"v="; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"&w="; distance:0; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30312; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT SofosFO/Stamp exploit kit plugin detection page"; flow:to_client,established; file_data; content:"go2Page|28 27|/|27|+PluginDetect.getVersion|28 22|AdobeReader|22 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30306; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:>32; content:" Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9]){32}[\/_]*?\/\d+?$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30768; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Oracle Java payload request"; flow:to_server,established; urilen:66; content:" Java/1."; http_header; pcre:"/^\/(?:[a-f0-9]{32}\/[a-f0-9]{32})$/U"; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30767; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit landing page"; flow:to_client,established; file_data; content:"<EMBED code="; content:"archive=|22|http|3A 2F 2F|"; distance:0; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\x22/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30766; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page - base64 encoded xml/jnlp statement"; flow:to_client,established; file_data; content:"Cjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+CjxqbmxwIHNwZWM9IjEuMCIgeG1"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30852; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit mp3 requested by Java"; flow:to_server,established; urilen:<50,norm; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\d+\.mp3$/U"; metadata:service http; classtype:trojan-activity; sid:30878; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound PDF request"; flow:to_server,established; content:".pdf"; http_uri; content:"/1/1"; fast_pattern:only; http_uri; content:".html"; http_header; pcre:"/^\/\d{9,10}\/1\/1\d{9}\.pdf$/U"; flowbits:set,file.exploit_kit.pdf; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30937; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit outbound uri structure"; flow:to_server,established; content:".php?req="; fast_pattern; nocase; http_uri; content:"&PHPSSESID="; distance:0; http_uri; pcre:"/\.php\?req=(?:x(?:ap|ml)|swf(IE)?|mp3|jar)\&/Ui"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:30936; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit landing page - specific structure"; flow:to_client,established; file_data; content:"|3A|stroke id="; fast_pattern:only; content:"|3B|function pop(koz)"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30935; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity/Rig exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|89 B4 F4 6A 24 1F 46 14|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30934; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound jnlp request"; flow:to_server,established; content:"/testi.jnlp"; content:" Java/1."; distance:0; metadata:impact_flag red, service http; classtype:trojan-activity; sid:30960; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"<script>"; content:"var "; within:4; distance:1; content:"|27|toString|27|"; distance:0; pcre:"/var\s+(?P<name>\w+)\=function\(.*?\x27\x2b(?P=name)\(\d+\x29/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30976; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"document.write"; content:"archive="; distance:0; content:".jar"; distance:0; pcre:"/\/[a-f0-9]{32}\.jar/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30975; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Silverlight landing page"; flow:to_server,established; content:"/silver.php"; fast_pattern:only; http_uri; flowbits:set,critx_font; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30972; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Oracle Java landing page"; flow:to_server,established; content:"/java"; fast_pattern:only; http_uri; pcre:"/\/java(rh|db)\.php$/U"; flowbits:set,critx_java; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30971; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Adobe Flash landing page"; flow:to_server,established; content:"/flash201"; fast_pattern:only; http_uri; pcre:"/\/flash201(3|4)\.php$/U"; flowbits:set,critx_flash; metadata:policy balanced-ips alert, policy security-ips alert, service http; classtype:trojan-activity; sid:30970; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit outbound request for Microsoft Internet Explorer landing page"; flow:to_server,established; content:"/msie.php"; fast_pattern:only; http_uri; flowbits:set,critx_ie; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:30969; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to font exploit"; flow:to_client,established; flowbits:isset,critx_font; file_data; content:"/x-silverlight-2"; content:".eot"; distance:0; content:"aHR0cDov"; distance:0; pcre:"/^[\w+\/]+(?:(?:LmVvdA|5lb3Q)==?|uZW90)[\x22\x27]/Rsi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30968; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Adobe Flash exploit"; flow:to_client,established; flowbits:isset,critx_flash; file_data; content:"createFlashMarkup"; content:".swf"; distance:0; pcre:"/[a-zA-Z0-9]\/[a-f0-9]{5}\.swf[\x22\x27]/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30967; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Microsoft Internet Explorer exploit"; flow:to_client,established; flowbits:isset,critx_ie; file_data; content:"behavior:url(#default#VML"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30966; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page - redirection to Oracle Java exploit"; flow:to_client,established; flowbits:isset,critx_java; file_data; content:"jnlp_embedded"; content:"C9qbmxwPg=="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30965; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:70<>82; content:"= HTTP/"; fast_pattern:only; content:"User-Agent"; http_header; pcre:"/^\/[-\w]{70,78}==?$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31046; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|21 3B E3 70 65 6E 66 64|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31130; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound swf request"; flow:to_server,established; content:"/1"; http_uri; content:".swf"; fast_pattern:only; http_uri; pcre:"/^(?:\/\d{9,10})?(?:\/[16])?\/1[34]\d{8}\.swf$/U"; metadata:service http; classtype:trojan-activity; sid:31237; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound jar request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/modules\/\d\.jar$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31232; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/load_module.php?user="; fast_pattern:only; http_uri; pcre:"/\/load_module\.php\?user\=(n1|1|2|11)$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31231; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound connection"; flow:to_server,established; content:"/add_visitor.php?referrer=http://"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31230; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Bleeding Life exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/modules/"; fast_pattern:only; http_uri; pcre:"/\/modules\/(n?\d|nu)\.swf$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31229; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Goon/Infinity exploit kit landing page"; flow:to_client,established; file_data; content:"#default#VML"; fast_pattern:only; content:"*/var "; isdataat:500,relative; content:"|3B|function "; within:50; pcre:"/\x3bfunction\s(?P<name>\w)\x28.*\x3b(?P=name)\x28\x22[\da-z]+\x22\x29\x3b/"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:31298; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit decryption page outbound request"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\sHTTP/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31279; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".mkv"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.mkv/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31278; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Oracle Java outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:2; content:".djvu"; distance:0; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\.djvu/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0422; reference:cve,2013-2460; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31277; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit Adobe flash outbound connection"; flow:to_server,established; content:"/3/"; content:"/"; within:1; distance:35; pcre:"/\/3\/[A-Z]{2}\/[a-f0-9]{32}\/\d+\.\d+\.\d+\.\d+\//"; flowbits:set,file.exploit_kit.flash; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:cve,2013-0634; reference:cve,2014-0515; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31276; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit landing page"; flow:to_client,established; content:"*/adv=|27|OrbitWhite|27|/* "; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31275; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT CottonCastle exploit kit encrypted binary download"; flow:to_client,established; content:"filename="; content:".jat"; distance:0; pcre:"/filename=[a-z]+\.jat/"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2014/06/cottoncastle.html; classtype:trojan-activity; sid:31274; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; urilen:65,norm; content:"User-Agent"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{64}$/U"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; flowbits:noalert; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31332; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 3E C2 32 61 34 6E 68|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31331; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound URL structure"; flow:to_server,established; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:"Cache-Control|3A 20|no-cache|0D 0A 0D 0A|"; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1\.[^\x2f]+Host\x3a\x20[^\x3a]+\x3a\d+\x0d\x0a/"; flowbits:set,file.exploit_kit.silverlight&file.exploit_kit.jar&file.exploit_kit.flash; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:31371; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirection page"; flow:to_client,established; file_data; content:"var|20|"; content:"|3B 20|var|20|"; within:20; distance:5; content:"|3B 20|if(!Array.prototype.indexOf){"; within:50; distance:5; content:"this.length|3B|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound Microsoft Silverlight request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; pcre:"/^\/\d{2,4}\.xap$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31369; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hanjuan exploit kit Silverlight exploit request"; flow:to_server,established; content:".x HTTP/1."; fast_pattern:only; content:" MSIE "; http_header; content:!"Referer"; nocase; http_header; flowbits:set,file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31701; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit landing page detection"; flow:to_client,established; file_data; content:"<li class=|22|is-new|22|>"; content:"<a href=|22|show.php"; within:17; distance:1; flowbits:set,file.exploit_kit.jar&file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31700; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hanjuan exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|71 75 B9 86 D8 51 1B 7B|"; depth:8; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; classtype:trojan-activity; sid:31699; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|2C 36 F4 6F 6D 6A 66 67|"; depth:8; metadata:service http; classtype:trojan-activity; sid:31695; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit landing page detected"; flow:to_client,established; file_data; content:"=|22|1|3B|url=about|3A|Tabs|22 20|http-equiv"; fast_pattern:only; content:"|5C|x72|5C|x65|5C|x70|5C|x6C|5C|x61|5C|x63|5C|x65"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31692; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detection"; flow:to_client,established; file_data; content:"=|27|+|27 20 22|re|27|+|27|pl|27|+|27|ac|27|+|27|e|22 3B 27|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31734; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jquery_datepicker domain decode attempt"; flow:to_client,established; content:"jquery_datepicker"; fast_pattern:only; pcre:"/(var jquery_datepicker=)|(jquery_datepicker.replace)/"; metadata:impact_flag red, service http; reference:url,malware-traffic-analysis.net/2014/08/18/index.html; classtype:trojan-activity; sid:31770; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound connection on non-standard port"; flow:to_server,established; content:"/stargalaxy.php?nebula="; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:31769; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"ZWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31903; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit flash file download"; flow:to_client,established; flowbits:isset,file.exploit_kit.flash; file_data; content:"CWS"; depth:3; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31902; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Internet Explorer encoded shellcode detected"; flow:to_client,established; file_data; content:"nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4nhadR2b4"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31900; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash encoded shellcode detected"; flow:to_client,established; file_data; content:"SYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6QtySYwT6Qty"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31899; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22 29 3B 0A 0D 0A|</script>"; fast_pattern; content:"</script>|0A|<script>"; within:150; content:"|0A 0D 0A|</script>|0D 0A|<h"; within:200; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31898; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8087 (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"projectid="; depth:10; nocase; content:"&seed="; within:40; nocase; content:"&ip="; within:40; nocase; content:"&referrer="; within:40; nocase; content:"&agent="; within:40; nocase; content:"&location="; within:250; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31859; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_server,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31858; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Scanbox exploit kit enumeration code detected"; flow:to_client,established; file_data; content:"document|2E|createElement|28|unescape|28 22 25|3Ciframe|25|20id|25|3D"; fast_pattern:only; content:"|2E|crypt|2E|_utf8_encode"; content:"|2E|push|28|"; content:"|3D 3D|c|3A 5C 5C|Program Files|5C 5C|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:31857; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit landing page"; flow:to_client,established; file_data; content:"expires=|22|+expires.toGMTString()"; nocase; content:"51yes.com/click.aspx?"; fast_pattern; nocase; content:"|22|gb2312|22|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31988; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32390; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Oracle Java request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/14\d{8}(.jar)?$/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32389; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"*/ new Function(|22|"; content:"|22|,|22|if("; within:20; content:" != |27 27|){"; pcre:"/new\sFunction\x28\x22(?P<a1>\w+)\x22\,\x22if\x28(?P=a1)\x20/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32388; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit jar file download"; flow:to_client,established; content:"filename="; content:".swf"; within:4; distance:8; file_data; content:"PK|03 04|"; within:4; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32387; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32386; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound Oracle Java request"; flow:to_server,established; content:"accept-encoding|3A| pack200-gzip, gzip"; fast_pattern:only; content:"GET /"; content:"HTTP/1."; within:8; distance:64; content:"Host|3A 20|"; content:" Java/1."; content:!"Referer"; pcre:"/GET\s\/[\w-]{64}\sHTTP\/1/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:32399; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hellspawn exploit kit outbound Oracle Java jar request"; flow:to_server,established; content:"/Plugin.jar"; http_uri; content:" Java/1."; http_header; content:"="; depth:1; offset:32; http_cookie; pcre:"/[a-f0-9]{32}=[a-f0-9]{32}/C"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, service http; classtype:trojan-activity; sid:32555; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hellspawn exploit kit landing page detected"; flow:to_client,established; file_data; content:"weCameFromHell(|27|<applet name=|22|Update Java"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32554; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Oracle Java jnlp file requested on defined port"; flow:to_server,established; content:"GET"; content:".jnlp HTTP/1.1"; distance:0; content:" Java/1."; content:"Host"; content:"|3A|"; distance:0; pcre:"/(applet|testi)\.jnlp\sHTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32641; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit outbound payload detection"; flow:to_server,established; content:"GET /"; content:".php?"; fast_pattern:only; pcre:"/\w+\.php\?\w+\=\d+\s*HTTP\/1\./"; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; metadata:service http; classtype:trojan-activity; sid:32640; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit jar file requested on defined port"; flow:to_server,established; content:"GET"; content:".jar HTTP/1.1"; distance:0; content:" Java/1."; content:"Host|3A|"; pcre:"/Host\x3a[^\n]+\x3a\d+\r\n/"; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:32639; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit Adobe Flash exploit on defined port"; flow:to_server,established; content:"GET /"; content:"x-flash-version|3A 20|1"; fast_pattern:only; pcre:"/Host\x3a[^\n]+\x3a\d+\x0d\x0a/"; pcre:"/Referer\x3a[^\n]+\x3a\d+\x2f/"; metadata:service http; classtype:trojan-activity; sid:32638; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT known malicious javascript packer detected"; flow:to_client,established; file_data; content:"function|28 2F 2A|"; content:"|2A 2F|p,|2F 2A|"; within:25; content:"|2A 2F|a,|2F 2A|"; within:25; content:"|2A 2F|c,|2F 2A|"; within:25; content:"|2A 2F|k,|2F 2A|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/; classtype:misc-activity; sid:32804; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CK exploit kit landing page"; flow:to_client,established; file_data; content:"=|22|i|22|+|22|m|22|+|22|g|22 3B|"; content:"=|22|s|22|+|22|r|22|+|22|c|22 3B|"; within:14; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32803; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; urilen:>36; content:"/ABs"; fast_pattern:only; http_uri; pcre:"/^\/ABs[A-Za-z0-9]+$/U"; flowbits:set,Nuclear; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32880; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit payload delivery"; flow:to_client,established; flowbits:isset,Nuclear; content:"X-Powered-By|3A 20|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:"filename="; distance:0; http_header; pcre:"/filename=[a-z0-9]+\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32879; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/14"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32878; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Adobe Flash exploit request"; flow:to_server,established; content:"/13"; fast_pattern:only; http_uri; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}(?:\.swf)$/U"; flowbits:set,file.nuclear.flash; flowbits:noalert; metadata:service http; classtype:trojan-activity; sid:32877; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound Microsoft Silverlight exploit request"; flow:to_server,established; content:".xap"; fast_pattern:only; http_uri; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})(?:\.xap)$/U"; flowbits:set,file.exploit_kit.silverlight; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:32876; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit Adobe Flash download"; flow:to_client,established; flowbits:isset,file.nuclear.flash; content:"x-shockwave-flash"; http_header; content:"filename="; distance:0; http_header; content:".swf"; distance:0; http_header; pcre:"/filename\=\d+\.swf/H"; content:"ZWS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32995; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; file_data; content:"|12 73 00 00 62 05 24 01 C5 25 FF 01 A8 63 05 62 03 62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8|"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33187; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|62 05 66 01 25 FF 01 A8 62 06 C5 25 FF 01 A8 63 06|"; content:"|62 06 66 01 25 FF 01 A8 C5 25 FF 01 A8 63 09|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33186; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B C7 6A 1E 7C C2 43 EA|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33185; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash download"; flow:to_client,established; content:"Expires|3A| Sat, 26 Jul 2007 05|3A|00|3A|00 GMT"; fast_pattern:only; http_header; content:"x-shockwave-flash"; nocase; http_header; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33184; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"Last-Modified|3A| Sat, 26 Jul 2039"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33183; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound Adobe Flash request"; flow:to_server,established; urilen:49,norm; content:"Referer"; http_header; content:"x-flash-version|3A|"; fast_pattern:only; http_header; pcre:"/^\/[\w-]{48}$/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, service http; classtype:trojan-activity; sid:33182; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33274; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_server,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2015-0311; classtype:trojan-activity; sid:33273; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D3 62 04 66 01 73 63 0A D3 62 04 D3 62 08 66 01 61 01 D3 62 08 62 0A 61 01 62 07 24 01 C5 D2 60|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33272; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|B2 67 FB 87 EF B2 72 55 DD 65 7F 2D 2C CB B8 FC 59 FE 99 FF 4F FF FD 5F B1 8C 6D 11 5E 19 C9 77|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-0311; classtype:trojan-activity; sid:33271; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Adobe Flash SWF exploit download"; flow:to_client,established; file_data; content:"|80 E2 3F 18 CF F1 3D 00 C4 1C 6E 7A 9F A6 2F 5D 04 11 2E BF C5 79 FC FC 26 2F F0 88 C6 76 1D C5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html; classtype:trojan-activity; sid:33286; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"allowScriptAccess=always"; fast_pattern:only; content:"param name=FlashVars"; nocase; content:"value"; within:25; nocase; content:"exec="; within:25; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.cisco.com/security/talos/angler-flash-0-day; classtype:trojan-activity; sid:33292; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; urilen:27; content:"/lists/"; fast_pattern:only; http_uri; pcre:"/^\/lists\/\d{20}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33663; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>160,norm; content:"/?"; depth:2; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33906; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>80,norm; content:"/index.php?"; depth:11; http_uri; content:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33905; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit obfuscated file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A 3F 0B D4 6C 4F 48 61 50|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:33983; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"</script></head>|0D 0A|<body>|0D 0A|<h"; fast_pattern:only; content:"<textarea id=|27|"; content:"|27| title=|27|"; within:25; content:"|27| name=|27|"; within:25; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2010-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2013-0074; reference:cve,2013-2465; reference:cve,2013-2471; reference:cve,2013-2551; reference:cve,2013-2883; reference:cve,2013-7331; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33982; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit flash file download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B 20|filename=|0D 0A 0D 0A|ZWS"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-0515; reference:cve,2014-0556; reference:cve,2014-8439; reference:cve,2015-0311; reference:cve,2015-0336; classtype:trojan-activity; sid:33981; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Reader exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; fast_pattern:only; http_header; content:".pdf"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b[^\x0d\x0a]filename=[a-z]{5,8}\d{2,3}\.pdf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.pdf; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34334; rev:9;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Oracle Java exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".jar"; fast_pattern:only; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.jar\x0d\x0a/Hm"; file_data; content:"PK"; within:2; flowbits:set,file.exploit_kit.jar; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:34332; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Microsoft SilverLight exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".xap"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.xap\x0d\x0a/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:set,file.exploit_kit.silverlight; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34331; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Fiesta exploit kit Adobe Flash exploit download"; flow:to_client,established; content:"Content-Disposition|3A 20|inline|3B|"; http_header; content:".swf"; http_header; pcre:"/filename=[a-z]{5,8}\d{2,3}\.swf\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34330; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit payload download"; flow:to_server,established; urilen:49; content:"HTTP/1.1|0D 0A|Host|3A|"; fast_pattern:only; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[\w-]{48}$/U"; metadata:service http; classtype:trojan-activity; sid:34348; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Oracle Java encoded shellcode detected"; flow:to_client,established; file_data; content:"9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu9hFroSHu"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:31901; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit encrypted binary download"; flow:to_client,established; file_data; content:"|0B 28 FF 53 4B 75 39 68|"; depth:8; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:31694; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Fiesta exploit kit outbound connection attempt"; flow:to_server,established; urilen:>70; content:"User-Agent|3A|"; http_header; content:"/"; depth:2; offset:8; http_uri; content:!"&"; http_uri; content:!"details"; http_uri; content:!"weather"; http_uri; content:!"texture"; http_uri; content:!"mailing"; http_uri; content:!"captcha"; http_uri; content:!"/counters/"; http_uri; content:!"/results/"; http_uri; pcre:"/^\/\/?[a-z0-9_]{7,8}\/\??[0-9a-f]{60,68}[\x3b\x2c\d+]*$/U"; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight&file.exploit_kit.flash; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:29443; rev:16;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Neutrino exploit kit outbound plugin detection response - generic detection"; flow:to_server,established; urilen:<18,norm; content:"POST"; http_method; content:"Referer|3A|"; http_header; content:"|3A|8000/"; distance:0; http_header; pcre:"/Referer\x3a\x20[^\s]*\x3a8000\x2f[a-z]+\?[a-z]+=\d{6,7}\x0d\x0a/H"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-0431; reference:cve,2013-1493; reference:cve,2013-2423; reference:cve,2013-2465; classtype:trojan-activity; sid:28474; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Himan exploit kit payload - Oracle Java compromise"; flow:to_server,established; content:".php?ex=jre"; http_uri; content:"&name="; distance:0; http_uri; content:"&country="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&ver=1."; distance:0; http_uri; content:" Java/1"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2465; reference:url,malware.dontneedcoffee.com/2013/10/HiMan.html; classtype:trojan-activity; sid:28309; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file download attempt"; flow:to_client,established; flowbits:isset,file.exploit_kit.jar; file_data; content:"PK"; depth:5; content:".class"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27816; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity/Redkit exploit kit short jar request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; content:" Java/1."; http_header; content:"content-type|3A| application/x-java-archive"; http_header; pcre:"/^\/[a-z0-9]{1,4}\.jar$/U"; content:!"cbssports.com"; http_header; metadata:policy max-detect-ips drop, service http; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:26808; rev:11;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Multiple exploit kit jar file dropped"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"BurkinoGoso.class"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malwaresigs.com/2013/01/13/sofosfo-exploit-kit-changes/; classtype:trojan-activity; sid:25803; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit exploit download"; flow:to_server,established; urilen:52<>59,norm; content:"."; depth:1; offset:49; http_uri; content:"Referer|3A 20|http|3A 2F 2F|"; http_header; pcre:"/^\/[\w-]{48}\.[a-z]{2,8}[0-9]?$/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f[^\n]+\/\d{10,20}\x0d\x0a/Hm"; flowbits:set,file.exploit_kit.flash&file.exploit_kit.silverlight&file.exploit_kit.jar; metadata:policy max-detect-ips alert, service http; classtype:trojan-activity; sid:34720; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"/*"; within:100; content:"*/"; within:20; content:".substr|28|"; within:40; content:"/*"; within:10; content:"*/"; within:20; pcre:"/<script>.*?\x2f\x2a\w+\s\x2a\x2f\s*\x22\w+\x22\x2b\x22\w+\x22\x2esubstr\x28\d{2},\d{2}\x29\x2f\x2a\w+\s\x2a\x2f\s\x3b/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34970; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p"; content:"px|3B| font-style|3A| none|3B| "; within:100; content:"overflow|3A|hidden|3B|"; within:25; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2015/06/15/index.html; classtype:trojan-activity; sid:34969; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit malicious swf request"; flow:to_server,established; urilen:>37; content:".swf"; http_uri; content:"Cookie|3A| nhweb="; fast_pattern:only; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\x2eswf/iU"; metadata:policy security-ips drop, service http; classtype:attempted-user; sid:35085; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Null Hole exploit kit binary download request"; flow:to_server,established; urilen:>43; content:".exe&h="; fast_pattern:only; http_uri; content:"Cookie|3A| nhweb="; content:!"Referer"; http_header; pcre:"/\x2f[a-f0-9]{32}\x2f\w+\d+\x2eexe\x26h\x3d\d/iU"; metadata:policy security-ips drop, service http; classtype:trojan-activity; sid:35084; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_server,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:trojan-activity; sid:35110; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit obfuscated Flash actionscript classname detected"; flow:to_client,established; file_data; content:"|0E|IIll1III111I11|0E|Illl1III111I11"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:misc-attack; sid:35109; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|7px|3B| height|3A|19px|3B| text-overflow|3A| clip|3B 22|>"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:35256; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|B4 51 40 A2 02 12 14 10 AF 80 38 05 B4 54 40 0B 05 34 57 40 33 05 44 2B A0 8A 02 22 14 D0 48 01|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35335; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt "; flow:to_client,established; flowbits:isset,file.cws; file_data; content:"|93 C5 3E 7E 94 C9 64 51 B9 4C F6 DB 7F F7 89 EC C7 B2 E7 EF B5 CC 24 7B 94 C9 A1 DF 42 59 D5 6F|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35334; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash download attempt"; flow:to_client,established; flowbits:isset,file.swf; file_data; content:"|D0 49 00 D0 2C 08 61 24 D0 2C 05 61 0C D0 2C 0A 61 35 D0 2C 0B 61 33 D0 2C 16 61 3A D0 2C 03 61 14 D0 2C 0E 61 25 D0 2C 0F 61 30 D0 2C 10 61 2F D0 2C 11 61 2E D0 2C 12 61 20 D0 2C 13 61 3C D0 2C 14 61 31 D0 2C 15 61 34 D0 2C 04 61 37 47|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:35333; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<span class=|22|text|22| id = |22|"; content:"|22| style=|22| height|3A|21px|3B| font-style|3A| none|3B| width|3A|7px|3B| |22|><br>"; within:150; metadata:service http; classtype:trojan-activity; sid:35550; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit flash exploit download attempt"; flow:to_server,established; urilen:>80; content:"Accept|3A| */*"; content:"Proxy-Authorization|3A| NTLM "; content:"TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=="; within:56; content:"x-flash-version|3A|"; pcre:"/http\x3a\x2f\x2f\w+\x2e\w+\x2f[^\x2e\x2f]{70}/i"; metadata:service http; classtype:attempted-user; sid:35542; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"<script>"; content:"[|22|scr|22|,|22|ipt|22|]|3B|"; distance:0; content:"[|22|j|22|,|22 22|,|22|a|22|,|22|v|22|,|22|a|22|]|3B|"; within:30; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:35845; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; file_data; content:"inne"; content:"rHTML"; within:15; distance:3; content:"if|28|"; within:20; content:"MSIE"; within:10; content:"[0-7]|5C|.|5C|d+"; within:15; fast_pattern; content:"navigator"; within:30; content:"userAgent"; within:20; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36071; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Scanbox exploit kit exfiltration attempt"; flow:to_server,established; content:"/new/newscan/i/?10"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1189; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:36201; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"DNT|3A| 1"; fast_pattern:only; http_header; content:"Content-Type|3A| application/json|3B| charset=utf-8"; http_header; content:"Content-Length|3A| 1"; http_header; content:"|7B 22|"; depth:2; http_client_body; pcre:"/^\x7b\x22[a-f0-9]{4}\x22\x3a\x22([a-f0-9]{32}|false)\x22,/smiP"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36315; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit browser detection attempt"; flow:to_client,established; file_data; content:"navigator.maxTouchPoints&&!document.all"; fast_pattern:only; content:"Trident"; content:"window.navigator.vendor"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36286; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<p style=|22| width|3A|8px|3B| text-overflow|3A| clip|3B| height|3A|19px|3B 22|>"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:36281; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit relay traffic detected"; flow:to_server,established; content:"access.log HTTP/1.1|0D 0A|Range: bytes="; fast_pattern:only; content:!"User-Agent:"; http_header; pcre:"/^\/[a-z0-9]+\/access\.log$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:36332; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"if|28|this "; content:"return -1|3B|"; within:60; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36457; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit gate detected"; flow:to_client,established; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; fast_pattern:only; content:"/Trident/"; content:"{return 0}else{return true}"; within:150; metadata:service http; reference:url,malware-traffic-analysis.net/2015/09/11/index.html; classtype:attempted-user; sid:36492; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; file_data; content:"<object classid"; content:"&#"; within:30; pcre:"/<object classid\s*=\s*[\x22\x27][^\x22\x27]{43}/i"; metadata:service http; reference:url,malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html; classtype:attempted-user; sid:36523; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page detected"; flow:to_client, established; file_data; content:"return"; content:"join"; within:8; content:"MSIE |28 5C|d+|5C|.|5C|d+|29 3B|"; distance:0; content:"navigator["; within:60; content:!"]"; within:10; metadata:service http; classtype:attempted-user; sid:36535; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Hunter exploit kit landing page detected"; flow:to_client,established; file_data; content:"eval|28|O1O|28|OlI|28|_1OO|29 29 29|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com/2015/08/cve-2014-2419-internet-explorer-and.html; classtype:attempted-user; sid:36543; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewtopic uri request attempt"; flow:to_server,established; content:"viewtopic.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/viewtopic\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36637; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&action="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26action\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36636; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword"; fast_pattern:only; http_uri; content:"&fid0="; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeywords?\x3d[^\x26]{2,7}\x26fid0\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36635; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|ferrodo|27|"; content:"substr"; within:100; content:"|27|ge|27|"; within:200; content:"|27|tE|27|"; within:200; content:"|27|le|27|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36788; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|plumbum|27|"; content:"substr"; within:100; content:"|27|doReMi|27|"; within:250; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36785; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit browser version detection attempt"; flow:to_client,established; content:"|27|rHTML|27|]"; fast_pattern:only; content:"if((|2F|(MSIE"; content:"[0-7]"; within:10; content:"navigator.userAgent"; within:50; content:".slice"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-recon; sid:36802; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|sub|27|"; content:"|27|pro|27|"; within:50; content:"+ (|27|yo|27|)"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36801; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT GongDa landing page detected"; flow:to_client,established; file_data; content:"0xffffffff"; fast_pattern:only; content:"charCodeAt"; nocase; content:"length"; within:20; nocase; content:"fromCharCode"; within:200; nocase; content:"delta"; within:200; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36798; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|22|g|22|"; content:"|22|ua|22|"; within:50; content:"|22|ge|22|"; within:50; content:"|22|j|22|"; within:50; content:"|22|av|22|"; within:100; content:"|22|a|22|"; within:100; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:36797; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|red|27|"; content:"substr"; within:100; content:"|27|c|27|"; within:150; content:"|27|um|27|"; within:50; content:"|22|char|22|"; within:150; content:"|27|ferrodo|27|"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36796; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"|27|mCh|27|"; content:"|27|fr|27|"; within:100; content:"|22|ev|22|"; within:200; content:"|27|fillip|27|"; within:150; content:"substr"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36790; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"|27|do|27|+|27|c|27|+|27|um|27|+|27|ent|27|"; fast_pattern:only; content:"|22|char|22|"; content:"ner"; within:200; content:"HT"; within:50; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36808; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Known exploit kit obfuscation routine detected"; flow:to_client,established; content:"vbscript>"; content:"=Split("; within:40; content:"UBound("; within:40; content:"+Chrw(eval("; within:40; content:"End Function"; within:40; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2014-6332; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:36824; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; content:"["; content:".substr ("; within:25; content:"].appendChild ("; within:60; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:36899; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DoloMalo exploit kit packer detected"; flow:to_server,established; content:"?getsrc=ok&ref="; fast_pattern:only; http_uri; content:"&url="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37016; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"<input>"; content:"</input>"; content:"<nobr>"; fast_pattern:only; content:"</nobr>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:37014; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit landing page"; flow:to_client,established; file_data; content:"<span style=|27| width|3A|"; content:"px"; within:3; distance:1; content:"|3B| height|3A|"; content:"px|3B 27 20 20|id=|27|"; within:11; distance:1; content:"|27 20 20 20|class=|27|text|27|"; distance:0; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy max-detect-ips alert, service http; classtype:trojan-activity; sid:37207; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page detected"; flow:to_client,established; file_data; content:"String.fromCharCode(parseInt(("; fast_pattern:only; content:"var"; content:"|22 22|"; within:2; distance:9; metadata:service http; classtype:attempted-user; sid:37355; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DarkLeech iframe injection tool detected"; flow:to_client,established; file_data; content:"<style>."; nocase; content:" { position|3A| absolute|3B| top|3A| -"; within:50; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:37361; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit iframe injection attempt"; flow:to_client,established; file_data; content:"document.write"; content:"<iframe"; within:10; content:"16.html|22|"; within:70; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37529; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound uri request attempt"; flow:to_server,established; content:".php?c_id="; http_uri; content:"&n_id"; within:5; distance:2; http_uri; content:"&token="; within:10; distance:2; http_uri; pcre:"/\x2ephp\x3fc_id\x3d\d{2}\x26n_id\x3d\d{2,4}\x26token\x3d[a-zA-Z0-9]{32}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware.dontneedcoffee.com; classtype:attempted-user; sid:37528; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yId|22|"; content:"|22|inner|22|"; within:100; content:"|22|TML|22|"; within:200; content:"|22|substr|22|"; within:100; content:"|22|index|22|"; within:100; content:"+|22|f|22|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37551; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"|22|I from the grandmother left, and left my grandfather.|22|"; fast_pattern:only; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37550; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Malicious iFrame injection outbound URI request attempt"; flow:to_server,established; content:"/?id="; http_uri; content:"&keyword="; within:9; distance:7; http_uri; pcre:"/\x2f\x3fid=[0-9]{7}\x26keyword=[a-f0-9]+\x26[\w_]+\x3d/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37549; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Malicious iFrame redirection injection attempt"; flow:to_client,established; file_data; content:"|22 5D 5D 2E|join|28 5C 22 5C 22 29 3B 22 29 29 3B 2F 2A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37548; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?t="; http_uri; content:"&f="; within:13; http_uri; pcre:"/\/view\x2Ephp\x3Ft\x3D[^\x26]{2,7}\x26f\x3D[a-z0-9_\x2d\x2e]{12}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37873; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3ff\x3d[^\x26]{2,7}\x26sid\x3D[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37872; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?PHPSESSID="; fast_pattern:only; http_uri; content:"&mod="; http_uri; pcre:"/\x2findex\x2ephp\x3fPHPSESSID\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37871; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"/viewthread.php?thread_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2ephp\x3fthread_id\x3d[^\x26]{2,7}\x26tid\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37958; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"/view.php?id="; fast_pattern:only; http_uri; content:"&course="; http_uri; pcre:"/\x2fview\x2ephp\x3fid?\x3d[^\x26]{2,7}\x26course\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:37957; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong da exploit kit landing page"; flow:to_client,established; file_data; content:"/index.aspx?id="; fast_pattern:only; content:"expires=|22| +"; nocase; content:"toGMTString()"; within:50; nocase; content:"escape(document.referrer)"; within:500; nocase; content:"/sa.htm?id="; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:37919; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Magnitude exploit kit Internet Explorer exploit attempt"; flow:to_client,established; content:"|3C|html|3E 0D 0A 3C|body|3E 0D 0A 3C|div|20|id|3D 22|"; content:"|22 3E|"; within:10; pcre:"/^([0-9]{2,3}\x2A[0-9]{2,3}\x2A){5}/R"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:37918; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit search uri request attempt"; flow:to_server,established; content:"/search.php?keyword="; http_uri; content:"&type="; within:12; distance:2; http_uri; pcre:"/\x2fsearch\x2ephp\x3fkeyword\x3d[^\x26]{2,7}\x26type\x3d([a-z]{1,5}[0-9]{1,5}|[0-9]{1,5}[a-z]{1,5})/U"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38121; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate redirector"; flow:to_client,established; file_data; content:"charCodeAt"; nocase; content:"unescape"; within:200; nocase; content:"%256"; within:100; content:"|27|charCodeAt|27|"; within:300; nocase; content:"String"; within:100; nocase; content:"eval"; within:200; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38133; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit view uri request attempt"; flow:to_server,established; content:"view.php?forum_id="; fast_pattern:only; http_uri; content:"&id="; http_uri; pcre:"/\x2fview\x2Ephp\x3Fforum_id\x3D[^\x26]{2,7}\x26id\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38163; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit viewthread uri request attempt"; flow:to_server,established; content:"viewthread.php?thad_id="; fast_pattern:only; http_uri; content:"&tid="; http_uri; pcre:"/\x2fviewthread\x2Ephp\x3Fthad_id\x3D[^\x26]{2,7}\x26tid\x3D[a-z0-9]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38162; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit index uri request attempt"; flow:to_server,established; content:"/index.php?search="; http_uri; content:"&mod="; fast_pattern:only; http_uri; pcre:"/\x2findex\x2ephp\x3fsearch\x3d[^\x26]{2,5}\x26mod\x3d[a-z0-9_\x2d\x2e]{7}/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38161; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit gate detected"; flow:to_client,established; file_data; content:"position|3A|absolute|3B|left|3A|-1753px|3B|top|3A|0px|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38160; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Known malicious redirection attempt"; flow:to_server,established; content:"&fid=2&rds=b1714032cd63652bc95fadf5dc81dadd88cafec4&aff="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.malwarebytes.org/malvertising-2/2016/03/large-angler-malvertising-campaign-hits-top-publishers/; classtype:attempted-user; sid:38254; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino exploit kit redirection attempt"; flow:to_client,established; file_data; content:"opacity|3A|0|3B|filter|3A|alpha(opacity=0)|3B|"; fast_pattern:only; content:"-moz-opacity|3A|0|3B 22|>"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:500; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:38275; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit news uri structure"; flow:to_server,established; content:"/news/"; fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U"; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:38439; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit questions uri request attempt"; flow:to_server,established; content:"/questions/"; fast_pattern:only; http_uri; pcre:"/^\/questions\/[0-9]+\/([a-zA-Z]+-){3,6}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38438; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit outbound uri structure"; flow:to_server,established; content:"/music/song/"; depth:12; http_uri; content:"_"; http_uri; pcre:"/^\x2fmusic\x2fsong\x2f[0-9]+_[a-zA-Z]{5,20}(\x2easpx)?$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38437; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"autotest= |22|retina|22|"; fast_pattern; content:"id = |22|e8a-48-"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38524; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit landing page detected"; flow:to_client,established; file_data; content:"id = |22|PLgxk1z"; fast_pattern; content:"fontbackold=|22|red|22|"; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38523; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"=|22|120|22| autotest= |22|retina|22| id = |22|"; fast_pattern:only; pcre:"/=\x22120\x22\x20autotest=\x20\x22retina\x22\x20id\x20=\x20\x22[a-zA-z0-9]{3}-[a-zA-z0-9]{2,3}-[a-zA-z0-9]{5,20}\x22/"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38522; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit redirect page detected"; flow:to_client,established; file_data; content:"</q>"; content:"</small>"; content:"</big>"; content:"</hl>"; content:"</em>"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38521; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"<meta name=|22|keywords|22| content=|22|HTML, CSS, XML, XHTML, JavaScript|22|>"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38556; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"|2F|*By creating and uploading Web pages to the Internet*|2F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38555; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; content:"|29 3B|eval|28|eval|28 27|"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38553; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Angler landing page detected"; flow:to_client,established; file_data; content:"function|28 29 7B|var "; content:"=|22|"; within:20; distance:8; pcre:"/function.*?\x3D\x22[a-f0-9]{200}/smi"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:38552; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_client,established; content:"Content-Type|3A| application/octet-stream"; http_header; file_data; content:"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; depth:47; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38593; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear Exploit Kit back end communications attempt"; flow:to_server,established; content:"/test.x.test"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,blog.talosintel.com/2016/04/nuclear-exposed.html; classtype:trojan-activity; sid:38592; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT vbscript downloading executable attempt"; flow:to_client,established; file_data; content:"createObject"; content:"Microsoft.XMLHTTP"; within:200; content:"Get.SaveToFile"; fast_pattern; content:".exe"; within:150; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:38589; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear exploit kit landing page detected"; flow:to_client,established; file_data; content:"|22|push|22|"; content:"String"; within:150; content:"|22|fromCharCode|22|"; within:100; content:"|2F 5C|s|7C 5C 2E 2F|g"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:38582; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"id="; within:10; content:"width="; content:"codebase="; within:20; fast_pattern; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"allowScriptAccess"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38730; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler Exploit Kit email gate"; flow:to_server,established; content:"/order/order_details.html?"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38682; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"56,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:38876; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"height="; distance:0; content:"codebase"; within:20; fast_pattern; content:"id="; distance:0; content:"width="; within:20; content:"classid"; content:"movie"; distance:0; content:"value"; within:10; content:"always"; distance:0; content:"allowScriptAccess"; within:25; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/05/25/index.html; classtype:trojan-activity; sid:39081; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Obfuscated exploit download attempt"; flow:to_client,established; file_data; content:"87,115,99,114,105,112,116,37,50,69,83,104,101,108,108"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:39130; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear gate redirect attempt"; flow:to_client,established; content:"Cache-Control|3A| no-store, no-cache, must-revalidate"; fast_pattern:only; http_header; file_data; content:"top.location.replace"; content:"top.location.href"; within:50; pcre:"/top\x2elocation\x2ereplace\s*\x28\s*(?<var>\w+)\s*\x29.*?top.location.href\s*\x3d\s*(?P=var)/s"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39129; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Nuclear landing page detected"; flow:to_client,established; file_data; content:"yesterday weve been pushing the car"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:39128; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_server,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:39241; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit exploitation attempt"; flow:to_client,established; file_data; content:"FWS"; depth:3; content:"|00 18 01 00 44 11 19 00 00 00 41 13 00|"; content:!"|5A 0A|"; within:200; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:39240; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Pseudo-Darkleech gate redirect attempt"; flow:to_client,established; file_data; content:"<span"; depth:70; content:"style|3D 22|display|3A|none|22|"; within:200; isdataat:1000,relative; content:!"</span>"; within:1000; content:"</span>"; distance:0; content:"<script>"; within:10; metadata:policy max-detect-ips drop, service http; classtype:trojan-activity; sid:39677; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv=|22|X-UA-Compatible|22|"; within:35; nocase; content:"content="; within:15; nocase; content:"EmulateIE"; within:20; fast_pattern; nocase; content:"<script"; nocase; content:"VBScript"; within:20; nocase; metadata:policy max-detect-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:39754; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Neutrino Exploit Kit Flash exploit download attempt"; flow:to_client,established; file_data; content:"<object"; content:"codebase="; distance:0; content:"height="; within:200; content:"width="; within:150; content:"id="; within:25; content:"movie"; within:100; content:"value"; within:40; content:"<embed"; content:"allowScriptAccess"; within:50; fast_pattern; content:"sameDomain"; within:30; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39802; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit embedded iframe redirection attempt"; flow:to_client,established; file_data; content:"iframe"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:40034; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown exploit kit landing page detected"; flow:to_client,established; content:"X-Powered-By|3A 20|Yugoslavian Business Network"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,malware-traffic-analysis.net/2016/06/15/index.html; classtype:attempted-user; sid:40233; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound communication"; flow:established,to_server; urilen:>150,norm; content:"/?"; depth:2; http_uri; content:"es_sm="; fast_pattern:only; content:"&sourceid="; http_uri; content:"aqs="; http_uri; flowbits:set,file.exploit_kit.flash; content:"&ie="; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40753; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"<script "; nocase; content:"VBScript"; within:50; fast_pattern; nocase; content:"Execute"; within:200; nocase; content:"chr"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41092; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:attempted-user; sid:41084; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig exploit kit landing page detected"; flow:established,to_client; file_data; content:"<iframe"; nocase; content:"onload"; within:20; nocase; content:"window.setTimeout"; within:100; nocase; content:"style"; within:100; nocase; content:"visibility:hidden"; within:30; nocase; content:"<script"; nocase; content:"http://"; within:30; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:41314; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit URL outbound communication"; flow:established,to_server; urilen:>140,norm; content:"/?"; depth:2; http_uri; content:"qtuif="; fast_pattern:only; content:"oq="; nocase; content:"q="; nocase; content:"ct="; nocase; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41783; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit kit Pseudo-Darkleech Gate redirection attempt"; flow:to_client,established; file_data; content:"<span"; fast_pattern; content:"style"; within:150; content:"position"; within:15; content:"absolute"; within:15; content:"width"; content:"height"; pcre:"/position\x3aabsolute\x3b\s*((top|left)\x3a-\d{4}px\x3b){1,2}\s*(width|height)\x3a\d{3}px\x3b\s*(height|width)\x3a\d{3}px\x3b/"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:41908; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit EITest Gate redirection attempt detected"; flow:established,to_client; file_data; content:"<script"; nocase; content:"type"; within:20; nocase; content:"text/javascript"; within:35; nocase; content:"iframe"; within:50; nocase; content:"|22|0px"; within:200; nocase; content:"setAttribute"; nocase; content:"frameborder"; within:30; nocase; content:"|22|0"; within:10; nocase; content:"http://"; within:200; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:42018; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_server,established; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42397; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blacole inbound malformed pdf download attempt"; flow:to_client; flowbits:isset,file.pdf; file_data; content:"%%EOF"; isdataat:500,relative; content:"iframe"; within:1000; nocase; content:"1px"; within:200; nocase; content:"getElementbyId"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/602F2B47BF63A0776673378FE95B9C025C93A3959C503D0DB3D7B82E7B7C5823/analysis/; reference:url,virustotal.com/en/file/C22015F1132AC29EDAC89D219988595257E5F92EB4C34A2284D499154176224F/analysis/; classtype:trojan-activity; sid:42396; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:140<>250,norm; content:"/?"; depth:2; http_uri; content:"ct="; http_uri; content:"oq="; fast_pattern:only; http_uri; content:"q="; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:42806; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt"; flow:to_client,established; file_data; content:"<meta"; content:"http-equiv"; within:15; content:"X-UA-Compatible"; within:30; content:"IE=10"; within:40; content:"<meta"; within:20; content:"charset"; within:20; content:"UTF-8"; within:20; content:"<script"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-admin; sid:43729; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Landing Page Request Attempt"; flow:to_server,established; urilen:>180; content:"/?"; depth:2; http_uri; content:"&"; within:5; distance:3; http_uri; content:"x"; distance:0; http_uri; content:"Q"; distance:0; http_uri; content:"R"; within:1; distance:5; http_uri; pcre:"/\/\?[A-Za-z]{3,7}&.*x[HX3].+Q[cdM].{3}[ab]R/U"; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43332; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit redirection attempt"; flow:to_client,established; file_data; content:"<html"; depth:5; content:"<meta"; within:50; content:"http-equiv"; within:20; content:"REFRESH"; within:20; content:"URL="; within:50; content:"http://"; within:20; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:43217; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit URL outbound communication"; flow:to_server,established; urilen:>140,norm; content:"/tr?"; depth:4; http_uri; content:"id="; http_uri; content:"confirm="; http_uri; content:"size="; http_uri; content:"noframe="; http_uri; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43187; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit Adobe Flash exploit download"; flow:to_client,established; file_data; content:"|16|FilePrivateNS:mersedes"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:43835; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Exploit Kit malicious redirection attempt"; flow:to_client,established; file_data; content:"<script"; content:"type"; within:20; content:"javascript"; within:30; content:"ActiveXObject"; within:100; content:"Shockwave"; within:200; content:"Flash"; within:30; content:"document.write"; within:200; content:"<iframe"; within:30; content:"src='http"; within:50; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:43885; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT TERROR exploit kit FlashVars parameter shellcode"; flow:to_client,established; file_data; content:"FlashVars"; content:"8B5E04311EC10E0183EEFCE2F3"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43932; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT RIG exploit kit shellcode detected"; flow:to_client,established; file_data; content:"unescape|28|"; content:"498034088485C975F7FFE0E8"; within:200; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:43931; rev:1;)
# alert tcp $EXTERNAL_NET [$HTTP_PORTS,1986,38,6780,9812] -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"<meta"; nocase; content:"http-equiv="; within:20; content:"|22|X-UA-Compatible"; within:40; nocase; content:"content="; within:15; nocase; content:"IE="; within:20; nocase; content:"<script"; within:250; nocase; content:"VBScript"; within:30; fast_pattern; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:44738; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror malicious flash file load attempt"; flow:to_client,established; file_data; content:"<div"; content:"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"; within:100; content:"allowscriptaccess"; within:40; content:"always"; within:20; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45080; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; content:"ZGVub21pbmF0aW9ucw=="; content:"bG9jYXRlZA=="; content:"Y2FwaXRhbA=="; content:"bWlzc2luZw=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45455; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bWlzc2luZw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45532; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"Y2FwaXRhbA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45531; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"bG9jYXRlZA=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45530; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"ZGVub21pbmF0aW9ucw=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45529; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"dW5rbm93bg=="; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45528; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Rig Exploit Kit URI redirect attempt"; flow:to_client,established; content:"YXR0YWNrcw=="; content:"bWlzc2luZw=="; content:"c3Rvcm1lZA=="; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45527; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK page access attempt"; flow:to_client,established; file_data; content:"XiaoBa"; content:"|E8 BD AF E4 BB B6 E4 B8 8B E8 BD BD E7 AB 99|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45925; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK dll download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".dll"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45923; rev:1;)
alert tcp $EXTERNAL_NET [$HTTP_PORTS,384] -> $HOME_NET any (msg:"EXPLOIT-KIT Terror EK exe download attempt"; flow:to_client,established; file_data; content:"Server"; nocase; content:"HFS 2"; within:20; fast_pattern; nocase; content:"HFS_SID_"; content:"filename"; content:".exe"; within:30; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:45922; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Terror EK resource access attempt"; flow:to_server,established; file_data; content:"GET "; nocase; content:"/"; within:1; content:"/"; within:1; distance:2; content:"/"; within:1; distance:2; content:".css"; within:4; distance:36; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:45921; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror EK landing page attempt"; flow:to_client,established; file_data; content:"Set-Cookie"; content:"streams"; within:50; content:"campaigns"; within:50; content:"time"; within:50; content:"30"; within:2; http_stat_code; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:45919; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT FakeFlash update attempt"; flow:to_server,established; content:"Referer: http://ssiapawz.com/watch?"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:46662; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown/Terror/Grandsoft/Magnitude exploit kit landing page detected"; flow:to_client,established; file_data; content:"X-UA-Compatible"; nocase; content:"EmulateIE8"; fast_pattern:only; content:"VBScript"; nocase; metadata:policy max-detect-ips drop, service http; classtype:attempted-user; sid:47034; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Qadars exploit kit attempt"; flow:to_server,established; content:".php"; http_uri; content:"=die(md5(Ch3ck1ng))"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:48440; rev:1;)
Reference in New Issue View Git Blame Copy Permalink