snort2-docker/docker/etc/rules/app-detect.rules
2020-02-24 08:56:30 -05:00

186 lines
62 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------------
# APP-DETECT RULES
#------------------
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Chocoplayer successful installation"; flow:to_server,established; content:"/post/player.php"; http_uri; content:"type="; http_client_body; content:"mac="; distance:0; http_client_body; content:"os="; distance:0; http_client_body; metadata:policy security-ips drop, service http; reference:url,www.chocoplayer.com; classtype:misc-activity; sid:25981; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|xa2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25364; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Apple Messages service server request attempt"; flow:to_client,established; ssl_state:server_hello; content:"|2A|.ess.apple.com"; fast_pattern:only; metadata:service http; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25083; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Apple Messages client side certificate request attempt"; flow:to_client,established; ssl_state:server_hello; content:"albert.apple.com"; fast_pattern:only; metadata:service http; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25082; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Apple Messages courier.push.apple.com DNS TXT request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|courier|04|push|05|apple|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25081; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Apple Messages push.apple.com DNS TXT request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|push|05|apple|03|com|00 00 10 00 01|"; fast_pattern:only; metadata:service dns; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:25080; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Steam game URI handler"; flow:to_client,established; file_data; content:"steam|3A 2F 2F|"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf; reference:url,steamcommunity.com; classtype:policy-violation; sid:24397; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_server,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24097; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24096; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Teamviewer installer download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"T|00|e|00|a|00|m|00|V|00|i|00|e|00|w|00|e|00|r"; content:"www.teamviewer.com"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24095; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Teamviewer control server ping"; flow:to_server; content:"teamviewer"; fast_pattern:only; metadata:service dns; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24094; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"APP-DETECT Amazon Kindle chrome-scriptable-plugin attempt"; flow:to_client,established; flowbits:isset,kindle.request; content:"application/kindle-chrome-scriptable-plugin"; fast_pattern:only; metadata:service http; reference:url,www.mobileread.com/forums/showthread.php?t=175368; classtype:policy-violation; sid:23617; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Amazon Kindle 3.0 User-Agent string requested"; flow:to_server,established; content:"Kindle/3.0+"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]+Kindle\x2F3\x2E0\x2B/Hsmi"; flowbits:set,kindle.request; flowbits:noalert; metadata:service http; classtype:misc-activity; sid:23616; rev:4;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT ptunnel icmp proxy"; itype:8; content:"|D5 20 08 80|"; depth:4; reference:url,www.cs.uit.no/~daniels/PingTunnel/; classtype:policy-violation; sid:21853; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT User-Agent known user agent - GetRight"; flow:to_server,established; content:"User-Agent|3A| GetRight"; fast_pattern:only; http_header; metadata:policy security-ips drop, service http; reference:url,www.virustotal.com/file/D96B3F575AEFE5E1560BC6B89069C9DE04784DAD449CC7B2F2CE3786CAB99861/analysis/; classtype:trojan-activity; sid:21488; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 24800 (msg:"APP-DETECT Synergy network kvm usage detected"; flow:established; content:"Synergy"; depth:7; offset:4; nocase; flowbits:set,synergy; reference:url,synergy-foss.org; classtype:attempted-admin; sid:21332; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Thunder p2p application activity detection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"thunder"; nocase; http_uri; content:"sandai"; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21172; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Thunder p2p application activity detection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"thunder"; nocase; http_uri; content:"xunlei"; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Xunlei; classtype:policy-violation; sid:21171; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1978 (msg:"APP-DETECT Apple OSX Remote Mouse usage"; flow:to_server,established; content:"mos "; fast_pattern:only; pcre:"/mos\s{2}\dm\s\d/"; reference:url,pastebin.com/F81NCiYE; classtype:policy-violation; sid:20443; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Dropbox desktop software in use"; flow:to_client,established; content:"|30 14 06 03 55 04 03 14 0D 2A|.dropbox.com"; nocase; classtype:policy-violation; sid:18609; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Dropbox desktop software in use"; flow:to_server,established; content:"/subscribe?host_int="; nocase; http_uri; content:"dropbox.com"; nocase; http_header; metadata:service http; classtype:policy-violation; sid:18608; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 17185 (msg:"APP-DETECT VxWorks remote debugging agent login attempt"; content:"|00 00 00 00 00 00 00 02 55 55 55 55 00 00 00 01 00 00 00 01|"; depth:20; offset:4; reference:cve,2010-2965; reference:url,blog.metasploit.com/2010/08/vxworks-vulnerabilities.html; reference:url,www.kb.cert.org/vuls/id/362332; classtype:protocol-command-decode; sid:17110; rev:4;)
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"APP-DETECT Tandberg VCS SSH default key"; flow:to_client,established; content:"|BF E2 52 B5 9A 23 8F E9 FE 10 49 C4 36 BD 31 85 D6 7E 41 C9 15 42 F1 01|"; fast_pattern:only; reference:cve,2009-4510; reference:url,www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp; reference:url,www.vsecurity.com/resources/advisory/20100409-1/; classtype:misc-activity; sid:16680; rev:8;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"APP-DETECT Nintendo Wii SSL Server Hello"; flow:to_client,established; ssl_state:server_hello; content:"Nintendo of America Inc"; fast_pattern:only; content:"noa.nintendo.com"; classtype:policy-violation; sid:15185; rev:4;)
# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"APP-DETECT Apple iTunes server multicast DNS response"; content:"Library|05|_daap|04|_tcp|05|local"; fast_pattern:only; content:"|00|!"; depth:2; offset:51; content:"|0E|i"; depth:2; offset:65; metadata:service dns; reference:url,www.apple.com/itunes/; reference:url,www.multicastdns.org; classtype:misc-activity; sid:13900; rev:7;)
# alert tcp $HOME_NET any -> any 3689 (msg:"APP-DETECT Apple iTunes client login attempt"; flow:to_server,established; flowbits:isset,itunes.serverinfo.request; content:"/login"; depth:6; offset:4; nocase; metadata:service http; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13899; rev:8;)
alert tcp $HOME_NET any -> any 3689 (msg:"APP-DETECT Apple iTunes client request for server info"; flow:to_server,established; content:"/server-info"; flowbits:set,itunes.serverinfo.request; flowbits:noalert; metadata:service http; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13898; rev:8;)
# alert tcp $EXTERNAL_NET !22 -> $HOME_NET any (msg:"APP-DETECT SSH server detected on non-standard port"; flow:to_client,established; content:"SSH-"; depth:4; nocase; pcre:"/^SSH-[12]\.\d+/smi"; reference:url,www.ietf.org/rfc/rfc4251.txt; classtype:protocol-command-decode; sid:13586; rev:4;)
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"APP-DETECT failed FTP login attempt"; flow:to_client,established; content:"530 "; depth:4; metadata:policy security-ips alert, service ftp; reference:url,www.ietf.org/rfc/rfc0959.txt; classtype:misc-activity; sid:13360; rev:6;)
# alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"APP-DETECT failed IMAP login attempt - invalid username/password"; flow:to_client,established; content:"NO LOGIN"; fast_pattern:only; pcre:"/^\s*\w+\s+NO LOGIN/smi"; metadata:policy security-ips alert, service imap; reference:url,www.ietf.org/rfc/rfc3501.txt; classtype:misc-activity; sid:13359; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Google Desktop activity"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"Google"; nocase; http_header; content:"Desktop"; nocase; http_header; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smiH"; metadata:service http; classtype:policy-violation; sid:7861; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443,8200] (msg:"APP-DETECT GoToMyPC remote control attempt"; flow:to_server,established; content:"jedi"; nocase; content:"request="; distance:0; nocase; content:"jedi="; distance:0; nocase; metadata:service http; reference:url,www.gotomypc.com/remote_access/pc_remote_access; classtype:policy-violation; sid:7034; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443,8200] (msg:"APP-DETECT GoToMyPC local service running"; flow:to_server,established; content:"jedi request"; fast_pattern:only; metadata:service http; reference:url,www.gotomypc.com/remote_access/pc_remote_access; classtype:policy-violation; sid:7033; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT GoToMyPC startup"; flow:to_server,established; content:"Jedi?request=ping&jedi=100"; fast_pattern:only; nocase; http_uri; metadata:service http; reference:url,www.gotomypc.com/howItWorks.tmpl; classtype:policy-violation; sid:7032; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 5060 (msg:"APP-DETECT Gizmo register VOIP state"; content:"INVITE sip|3A|"; nocase; content:"User-Agent|3A|"; nocase; content:"Gizmo"; fast_pattern:only; pcre:"/^User-Agent\x3A[^\n\r]+Gizmo/smi"; metadata:service sip; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6407; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Kontiki runtime detection"; flow:to_server,established; content:"User-Agent|3A| Kontiki Client"; fast_pattern:only; http_header; metadata:policy security-ips alert, service http; reference:url,www.extremetech.com/article2/0,3973,365073,00.asp; classtype:policy-violation; sid:5797; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"APP-DETECT remote desktop protocol attempted administrator connection request"; flow:to_server,established; content:"|E0|"; depth:1; offset:5; content:"mstshash=Administr"; distance:0; nocase; reference:bugtraq,14259; reference:cve,2005-1218; reference:url,attack.mitre.org/techniques/T1076; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-041; classtype:misc-activity; sid:4060; rev:9;)
# alert udp any any -> 255.255.255.255 23945 (msg:"APP-DETECT Data Rescue IDA Pro startup license check attempt"; flow:to_server; dsize:40; content:"IDA|00 01 00 00 00|"; depth:8; classtype:policy-violation; sid:3628; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"APP-DETECT distccd remote command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; metadata:ruleset community; reference:url,distcc.samba.org/security.html; classtype:policy-violation; sid:3061; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT PCAnywhere server response"; content:"ST"; depth:2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT iodine dns tunneling handshake server ACK"; flow:to_client; byte_test:1,&,0x80,2; content:"|00 01 00 01 00|"; depth:5; offset:4; content:"v"; within:1; distance:4; content:"VACK"; within:200; fast_pattern; metadata:service dns; reference:url,code.kryo.se/iodine/README.html; classtype:policy-violation; sid:27046; rev:3;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT OzymanDNS dns tunneling down attempt"; flow:to_server,no_stream; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"id-"; distance:6; fast_pattern; content:"down"; within:10; distance:2; detection_filter:track by_dst, count 8, seconds 1; metadata:impact_flag red, service dns; reference:url,dankaminsky.com/2004/07/29/51/; classtype:policy-violation; sid:27541; rev:4;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT OzymanDNS dns tunneling up attempt"; flow:to_server,no_stream; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"-0"; distance:6; content:"id-"; within:3; distance:1; fast_pattern; content:"up"; within:8; detection_filter:track by_src, count 18, seconds 1; metadata:impact_flag red, service dns; reference:url,dankaminsky.com/2004/07/29/51/; classtype:policy-violation; sid:27540; rev:4;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT TCP over DNS response attempt"; flow:to_client,no_stream; content:"|C0 0C 00 10 00 01 00 00 00 1E|"; content:!"|00 00 02 00 01|"; distance:0; detection_filter:track by_dst, count 8, seconds 1; pcre:"/[\x5e\x7d\x7b\x21\x5b\x5d\x5f\x60\x24\x25\x2a\x3c\x3e\x23\x3a\x3f\x2b\x7c]{2,50}?/smiR"; metadata:service dns; reference:url,analogbit.com/tcp-over-dns_howto; classtype:policy-violation; sid:27536; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Heyoka outbound communication attempt"; flow:to_server,no_stream; content:"|01 00 00 00 00 00 00|"; depth:7; offset:5; content:"|FF FF|"; within:2; distance:5; content:"|00 10 00 01|"; within:70; distance:10; detection_filter:track by_src, count 8, seconds 1; metadata:service dns; classtype:policy-violation; sid:27669; rev:3;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT Heyoka initial outbound connection attempt"; flow:to_server; content:"PQRSTUVWXYZ|5B 5C 5D 5E 5F A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:27668; rev:2;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"APP-DETECT NSTX DNS tunnel outbound connection attempt"; flow:to_server,no_stream; content:"|01 00 00 00 00 00 00|"; depth:7; offset:5; content:"cT"; within:2; distance:1; fast_pattern; content:"|00 10 00 01|"; within:80; distance:10; detection_filter:track by_src, count 9, seconds 1; metadata:service dns; classtype:policy-violation; sid:27700; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Splashtop personal download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Splashtop_Personal_"; nocase; http_uri; content:".exe"; within:20; distance:3; nocase; http_uri; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27934; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Splashtop streamer download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/Splashtop_Streamer_"; nocase; http_uri; content:".exe"; within:20; distance:3; nocase; http_uri; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27933; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain devicevm.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|devicevm|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27932; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain splashtop.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|splashtop|03|net|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27931; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Splashtop domain splashtop.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|splashtop|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:misc-activity; sid:27930; rev:1;)
# alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET [6783,6784,6785] (msg:"APP-DETECT Splashtop communication attempt"; flow:stateless,no_stream; content:"|17 03 00 00 20|"; depth:5; detection_filter:track by_dst, count 75, seconds 1; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27929; rev:3;)
# alert tcp $EXTERNAL_NET [6783,6784,6785] -> $HOME_NET [1024:65535] (msg:"APP-DETECT Splashtop connection attempt"; flow:to_client,established; content:"Splashtop Inc. Self CA"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27928; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT Splashtop inbound connection negotiation attempt"; flow:to_client,established; dsize:140; content:"|20 00 88 00 00 0C 00 84 00 00 00 00 00 05 01|"; depth:15; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27927; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Splashtop Streamer certificate server connect attempt"; flow:to_server,established; content:"api.splashtop.com"; fast_pattern:only; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27926; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Splashtop Personal download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"S|00|p|00|l|00|a|00|s|00|h|00|t|00|o|00|p|00 20 00|P|00|e|00|r|00|s|00|o|00|n|00|a|00|l|00|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27925; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Splashtop Streamer download attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"CreateVRootshttp://www.splashtop.com/remotecaRemoveVRootsISCHECKFORPRODUCTUPDATES"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27924; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Splashtop connection negotiation attempt"; flow:to_server,established; dsize:4; content:"|20 00 C8 00|"; depth:4; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27923; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Splashtop outbound connection attempt"; flow:to_server,established; content:"/api/fulong"; fast_pattern:only; http_uri; content:"Referer: ver="; nocase; content:"Host:"; distance:0; nocase; http_header; content:"splashtop.com"; within:20; distance:2; nocase; http_header; metadata:service http; reference:url,en.wikipedia.org/wiki/Splashtop; classtype:policy-violation; sid:27922; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Dynamic Internet Technology Freegate application zip download attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/loc/software/fg/740/fg740p.zip"; nocase; http_uri; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:28001; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"APP-DETECT Dynamic Internet Technology Freegate application executable download attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/loc/software/fg/740/fg740p.exe"; nocase; http_uri; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:28000; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Possible Dynamic Internet Technology Frontgate application PING"; icode:0; itype:8; ttl:1; content:"89|3A 3B|<=>?"; depth:8; offset:24; metadata:policy security-ips alert; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27999; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain washingtonchinareview.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|15|washingtonchinareview|03|org|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27998; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dongtaiwang|03|net|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27997; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain nbgtr.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|nbgtr|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27996; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain ewsxz.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|ewsxz|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27995; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dit-inc.us"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dit-inc|02|us|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27994; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain xcder.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|xcder|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27993; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"APP-DETECT DNS response for Dynamic Internet Technology domain ziyouforever.com"; flow:to_client; content:"|81 80|"; depth:2; offset:2; content:"|00 01 00 01 00 02 00 02|"; within:8; content:"|0C|ziyouforever"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27992; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain ziyouforever.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ziyouforever|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27991; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain umikl.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|umikl|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27990; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain mjuyh.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|mjuyh|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27989; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dongtaiwang.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dongtaiwang|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27988; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain vfrtg.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|vfrtg|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27987; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain rfvcd.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|rfvcd|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27986; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain hjuyv.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|hjuyv|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27985; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for Dynamic Internet Technology domain dfgvx.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|dfgvx|03|com|00|"; fast_pattern:only; metadata:policy security-ips drop, service dns; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27984; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Dynamic Internet Technology Freegate application zip download attempt"; flow:to_client,established; file_data; flowbits:isset,file.zip; content:"|00 15 00|fg740p.exe"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27983; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Dynamic Internet Technology Freegate application executable download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"D|00|y|00|n|00|a|00|m|00|i|00|c|00 20 00|I|00|n|00|t|00|e|00|r|00|n|00|e|00|t|00 20 00|T|00|e|00|c|00|h|00|n|00|o|00|l|00|o|00|g|00|y|00 2C 00 20 00|I|00|n|00|c"; fast_pattern:only; metadata:policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,wikipedia.org/wiki/Freegate; classtype:misc-activity; sid:27982; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT 360.cn SafeGuard local HTTP management console access attempt"; flow:to_server,established; content:"/login.php?refer=%2F"; fast_pattern:only; http_uri; metadata:service http; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360safe.com; reference:url,www.virustotal.com/en/domain/360safe.com/information/; classtype:trojan-activity; sid:28071; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|360safe|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360safe.com; reference:url,www.virustotal.com/en/domain/360safe.com/information/; classtype:trojan-activity; sid:28070; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for potential malware SafeGuard to domain 360.cn"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|360|02|cn|00|"; fast_pattern:only; metadata:service dns; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360.cn; reference:url,www.virustotal.com/en/domain/360.cn/information/; classtype:trojan-activity; sid:28069; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT 360.cn Safeguard runtime outbound communication"; flow:to_server,established; content:"/instcomp.htm?soft="; nocase; http_uri; content:"&status="; within:11; nocase; http_uri; content:"&mid="; within:9; nocase; http_uri; pcre:"/\&status=\d{4}\&mid=\w{32}/Ui"; metadata:service http; reference:url,en.wikipedia.org/wiki/360_Safeguard; reference:url,research.zscaler.com/2011/05/is-360cn-evil.html; reference:url,www.alexa.com/siteinfo/360.cn; reference:url,www.virustotal.com/en/domain/360.cn/information/; classtype:misc-activity; sid:28068; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"APP-DETECT Bizhi Sogou Wallpaper application download schema response"; flow:to_client,established; content:"200"; http_stat_code; content:"[sogoubizhi]"; fast_pattern:only; metadata:service http; reference:url,www.virustotal.com/en/domain/bizhi.sogou.com/information/; classtype:misc-activity; sid:28246; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bizhi Sogou Wallpaper application outbound connection attempt"; flow:to_server,established; content:"User-Agent: BIZHI_"; fast_pattern:only; http_header; metadata:service http; reference:url,www.virustotal.com/en/domain/bizhi.sogou.com/information/; classtype:misc-activity; sid:28245; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Foca file scanning attempt"; flow:to_server,established; content:"User-Agent|3A 20|FOCA|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1083; reference:url,www.softwarecrew.com/2011/10/foca-free-3-0-scans-your-website-for-document-based-security-leaks/; classtype:attempted-recon; sid:29354; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Baidu IME runtime detection - remote sync"; flow:to_server,established; content:"/cgi-bin/getmsg.cgi"; fast_pattern:only; http_uri; content:"Referrer|3A| http|3A 2F 2F|sync|2E|ime|2E|baidu|2E|jp"; nocase; http_header; metadata:service http; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:attempted-recon; sid:29322; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"APP-DETECT Baidu IME download attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|64 3A 5C 63 79 67 77 69 6E 5C 68 6F 6D 65 5C 73 63 6D 70 66 5C 63 6F 6D 70 69 6C 65 72 5F 73 72 63 5C 68 75 61 6E 67 64 69 5F|"; fast_pattern:only; content:"|5F 77 69 6E 33 32 5C 30 5C 61 70 70 5C 67 65 6E 73 6F 66 74 5C 69 6D 65 2D 6A 70 5C 62 61 69 64 75 69 6D 65 5C 6F 75 74 5C 42 61 69 64 75 4A 50 5F 53 65 74 75 70 5F 4D 49 4E 49 2E 70 64 62|"; metadata:service smtp; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:policy-violation; sid:29321; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT Baidu IME download attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|64 3A 5C 63 79 67 77 69 6E 5C 68 6F 6D 65 5C 73 63 6D 70 66 5C 63 6F 6D 70 69 6C 65 72 5F 73 72 63 5C 68 75 61 6E 67 64 69 5F|"; fast_pattern:only; content:"|5F 77 69 6E 33 32 5C 30 5C 61 70 70 5C 67 65 6E 73 6F 66 74 5C 69 6D 65 2D 6A 70 5C 62 61 69 64 75 69 6D 65 5C 6F 75 74 5C 42 61 69 64 75 4A 50 5F 53 65 74 75 70 5F 4D 49 4E 49 2E 70 64 62|"; metadata:service ftp-data, service http, service imap, service pop3; reference:url,ajw.asahi.com/article/behind_news/social_affairs/AJ201312260081; classtype:policy-violation; sid:29320; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"APP-DETECT VPN Over DNS application download attempt"; flow:to_server,established; flowbits:isset,file.zip|file.apk; file_data; content:"assets/dns160.png"; fast_pattern:only; content:"assets/dns240.png"; nocase; content:"assets/dns320.png"; within:150; nocase; content:"assets/fond-Snow-UI-Kit-2.png"; within:150; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29383; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"APP-DETECT VPN Over DNS application download attempt"; flow:to_client,established; flowbits:isset,file.zip|file.apk; file_data; content:"assets/dns160.png"; fast_pattern:only; content:"assets/dns240.png"; nocase; content:"assets/dns320.png"; within:150; nocase; content:"assets/fond-Snow-UI-Kit-2.png"; within:150; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29382; rev:3;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT VPN Over DNS outbound traffic attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vpnoverdns|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,vpnoverdns.com; classtype:policy-violation; sid:29381; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Paros proxy outbound connection attempt"; flow:to_server, established; content:"User-Agent|3A 20|"; http_header; content:"Paros"; distance:0; fast_pattern; http_header; pcre:"/User-Agent\x3a\s[^\x0d\x0a]*Paros/H"; metadata:service http; reference:url,sourceforge.net/projects/paros; classtype:policy-violation; sid:30195; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5279 (msg:"APP-DETECT Anyplace usage attempt"; flow:to_server,established; content:"|AA 25 00 BF A3 5C 37 A4 09 1F C4 04 3F B6 34 E9 EA 45 0B 01 6E B0 9E 53 FF 15 A1 7C A0 4E 17 62|"; fast_pattern:only; reference:url,www.anyplace-control.com; classtype:web-application-activity; sid:30254; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"APP-DETECT Anyplace proxy header detected"; flow:to_server,established; content:"HTTP/1.1 005|0D 0A|VE"; depth:16; metadata:service http; reference:url,www.anyplace-control.com; classtype:web-application-activity; sid:30253; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:4;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain tnseed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|tnseed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30875; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed2.net.terracoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed2|03|net|09|terracoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30874; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.qrkcoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|07|qrkcoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30873; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.net.terracoin.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|03|net|09|terracoin|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30872; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed1.metiscoininvest.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|seed1|0F|metiscoininvest|04|info|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30871; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.ppcoin.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|06|ppcoin|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30870; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.mophides.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|08|mophides|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30869; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dogecoin.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|08|dogecoin|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30868; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dogechain.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|09|dogechain|04|info|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30867; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.dglibrary.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|09|dglibrary|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30866; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain seed.bitcoinstats.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|seed|0C|bitcoinstats|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30865; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dvcstable02.dvcnode.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dvcstable02|07|dvcnode|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30864; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dvcstable01.dvcnode.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|dvcstable01|07|dvcnode|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30863; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.xpm.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|xpm|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30862; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.ppc.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ppc|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30861; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.ltc.xurious.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|03|ltc|07|xurious|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30860; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.litecointools.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0D|litecointools|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30859; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.litecoinpool.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0C|litecoinpool|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30858; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.koin-project.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0C|koin-project|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30857; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.feathercoin.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|0B|feathercoin|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30856; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.fc.altcointech.net"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|02|fc|0B|altcointech|03|net|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30855; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain dnsseed.btcltcftc.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|dnsseed|09|btcltcftc|03|com|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30854; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT DNS request for known bitcoin domain bitseed.xf2.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bitseed|03|xf2|03|org|00|"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:30853; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [8000,8080,8787,5005] (msg:"APP-DETECT Oracle Java debug wire protocol remote debugging attempt"; flow:to_server,established; dsize:14; content:"JDWP-Handshake"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-6639; reference:url,blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html; reference:url,docs.oracle.com/javase/7/docs/technotes/guides/jpda/jdwp-spec.html; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1; classtype:protocol-command-decode; sid:31302; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1337 (msg:"APP-DETECT Xolominer outbound connection attempt"; flow:to_server,established; content:"|22|"; depth:1; content:"|00|"; within:1; distance:34; reference:url,www.virustotal.com/en/file/41cff4db42730a6d9b2a8c69ebc94df571c35b5983824747512f23352c9d0aae/analysis/; classtype:policy-violation; sid:31532; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET any (msg:"APP-DETECT I2P UPNP query attempt"; flow:to_server, established; content:"/upnphost/udhisapi.dll?content"; fast_pattern:only; content:"User-Agent: I2P Java"; content:"Connection: close"; metadata:service http; reference:url,geti2p.net; classtype:misc-activity; sid:32866; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT I2P DNS request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|PC|07|malware|03|com|00|"; fast_pattern:only; metadata:service dns; reference:url,geti2p.net; classtype:trojan-activity; sid:32865; rev:1;)
# alert udp $HOME_NET 137 -> $HOME_NET 137 (msg:"APP-DETECT I2P NetBIOS name resolution request attempt"; content:"FAEDCOENEBEMFHEBFCEFCOEDEPENCAAA|00|"; fast_pattern:only; metadata:service netbios-ns; reference:url,geti2p.net; classtype:misc-activity; sid:32864; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32851; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32850; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT I2P traffic transmission attempt"; flow:to_server,established; content:"Host:"; content:".i2p|0D 0A|"; within:100; nocase; metadata:service http; reference:url,geti2p.net; classtype:policy-violation; sid:33430; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT TeamViewer remote administration tool outbound connection attempt"; flow:to_server,established; content:"client=DynGate"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1219; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:34463; rev:4;)
# alert udp $EXTERNAL_NET 53 -> any any (msg:"APP-DETECT Your-Freedom DNS tunneling query response attempt"; flow:to_client; byte_test:1,!&,0x01,2; content:"|03|s"; nocase; content:"|03|1yf|02|de|00|"; distance:2; nocase; metadata:service dns; reference:url,your-freedom.net; classtype:misc-activity; sid:34497; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT Your-Freedom DNS tunneling query attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|s"; nocase; content:"|03|1yf|02|de|00|"; distance:2; nocase; metadata:service dns; reference:url,your-freedom.net; classtype:misc-activity; sid:34496; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"APP-DETECT 12P DNS request attempt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|b32|03|i2p|00|"; fast_pattern:only; metadata:service dns; reference:url,geti2p.net; classtype:misc-activity; sid:37062; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Jenkins Groovy script access through script console attempt"; flow:to_server,established; content:"POST /jenkins/script"; fast_pattern:only; metadata:service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_script_console.rb; reference:url,wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console; classtype:policy-violation; sid:37354; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/be_client_cgi/perr?browser="; fast_pattern:only; http_uri; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37306; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,22222,22223] (msg:"APP-DETECT Hola VPN tunnel keep alive"; flow:to_server,established; content:"/hola_trigger?ping=tunnel"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37305; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,22222,22223] (msg:"APP-DETECT Hola VPN non-http port ping"; flow:to_server,established; content:"/ping?rmt_ver"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37304; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN X-Hola-Version header attempt"; flow:to_server,established; content:"X-Hola-Version:"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37303; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Hola VPN X-Hola-Version header nonstandard port attempt"; flow:to_server,established; content:"X-Hola-Version:"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37302; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/www/hola/pub/"; fast_pattern:only; http_uri; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37301; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN startup attempt"; flow:to_server,established; content:"/access/popular"; fast_pattern:only; http_uri; content:"Host"; http_header; content:"hola.org"; within:50; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37300; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN installation attempt"; flow:to_server,established; content:"User-Agent: hola_get"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37299; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Hola VPN installation attempt"; flow:to_server,established; content:"User-Agent: wget|0D 0A|Host: perr.hola.org"; fast_pattern:only; http_header; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,en.wikipedia.org/wiki/Hola_(VPN); classtype:policy-violation; sid:37298; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; content:"User-Agent: BLP_bbot"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"APP-DETECT OpenVAS Scanner User-Agent attempt"; flow:to_server,established; content:"User-Agent:"; http_header; content:"OpenVAS"; within:50; fast_pattern; http_header; metadata:service http; classtype:web-application-activity; sid:40335; rev:2;)
# alert udp any 68 -> any 67 (msg:"APP-DETECT Intel AMT DHCP boot request detected"; flow:to_server; content:"|01 01 06|"; depth:3; content:"|37 09 06 03 01 0F 42 43 0D 2C 0C FF 00 00 00|"; isdataat:!1,relative; metadata:policy max-detect-ips drop, service dhcp; reference:url,www-ssl.intel.com/content/www/us/en/architecture-and-technology/intel-active-management-technology.html; classtype:policy-violation; sid:42492; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT HTTPTunnel proxy outbound connection detected"; flow:to_server,established; content:"/index.html?crap="; fast_pattern:only; http_uri; metadata:service http; reference:url,http-tunnel.sourceforge.net/; classtype:policy-violation; sid:43565; rev:1;)