snort2-docker/docker/etc/rules/pua-other.rules
2020-02-24 08:56:30 -05:00

70 lines
20 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------
# PUA-OTHER RULES
#-----------------
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMRig cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|XMRig"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/xmrig/xmrig; classtype:policy-violation; sid:45549; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 8333 (msg:"PUA-OTHER Bitcoin outbound request attempt"; flow:established,to_server; content:"|F9 BE B4 D9|"; depth:4; reference:url,bitcoin.org/en/; classtype:policy-violation; sid:26438; rev:1;)
# alert tcp $EXTERNAL_NET 8333 -> $HOME_NET any (msg:"PUA-OTHER Bitcoin inbound response attempt"; flow:established,to_client; content:"|F9 BE B4 D9|"; depth:4; reference:url,bitcoin.org/en/; classtype:policy-violation; sid:26437; rev:1;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"PUA-OTHER Yahoo Messenger iframe injection status change attempt"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"SetCustomStatus"; fast_pattern:only; content:"265|C0 80|"; pcre:"/265\xC0\x80[^\xC0]*\x22[^\xC0]*SetCustomStatus/i"; reference:url,www.malwarecity.com/blog/new-yahoo-messenger-0-day-exploit-hijacks-users-status-update-1229.html; classtype:web-application-activity; sid:20655; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER Skype URI handler input validation exploit attempt"; flow:to_client,established; file_data; content:"skype|3A|"; nocase; pcre:"/\x3Ca\s+[^\x3E]*href\s*\x3D\s*(\x22|\x27)?skype\x3A[^\s\x3E]*[\x01-\x07]/i"; metadata:service http; reference:bugtraq,38699; reference:url,security-assessment.com/files/advisories/Skype_URI_Handling_Vulnerability.pdf; classtype:misc-attack; sid:16718; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER mIRC IRC URL buffer overflow attempt"; flow:to_client,established; file_data; content:"src='irc|3A|//"; pcre:"/^\S{999}/R"; metadata:service http; reference:bugtraq,8819; reference:cve,2003-1336; classtype:attempted-user; sid:16579; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server serverdown Authentication bypass attempt"; flow:to_server,established; content:"error-serverdown.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Ferror-serverdown\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15156; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server png Authentication bypass attempt"; flow:to_server,established; content:"|2F|.png"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2F\x2Epng.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15155; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server gif Authentication bypass attempt"; flow:to_server,established; content:"|2F|.gif"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2F\x2Egif.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15154; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server setup-index Authentication bypass attempt"; flow:to_server,established; content:"setup/index.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Fsetup\x2F\index\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15152; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server logout Authentication bypass attempt"; flow:to_server,established; content:"index.jsp?logout=true"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Findex\x2Ejsp\x3Flogout\x3Dtrue.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15151; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server login Authentication bypass attempt"; flow:to_server,established; content:"login.jsp"; fast_pattern:only; pcre:"/^[a-zA-Z]+\s+\x2Flogin\x2Ejsp.*\x2E\x2E\x2F/mi"; metadata:service http; reference:bugtraq,32189; reference:cve,2008-6508; reference:cve,2008-6509; reference:cve,2008-6510; classtype:attempted-admin; sid:15150; rev:6;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3130; rev:8;)
# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"PUA-OTHER Request for known malware domain pierrejb.agora.eu.org"; flow:to_server,established; content:"Host|3A| pierrejb.agora.eu.org"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:32578; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5004:65535 (msg:"PUA-OTHER Microsoft MSN Messenger and Windows Live Messenger Code Execution attempt"; flow:to_server; content:"|0E 58|"; depth:2; content:"connected"; within:9; distance:7; flowbits:set,messenger; flowbits:noalert; metadata:policy max-detect-ips drop; reference:bugtraq,25461; reference:cve,2007-2931; classtype:attempted-user; sid:20554; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5004:65535 (msg:"PUA-OTHER Microsoft MSN Messenger and Windows Live Messenger Code Execution attempt"; flow:to_server; flowbits:isset,messenger; content:"|F3 49|"; depth:2; byte_test:1,>,130,5,relative,little; metadata:policy max-detect-ips drop; reference:bugtraq,25461; reference:cve,2007-2931; classtype:attempted-user; sid:17551; rev:11;)
# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-OTHER AOL GAIM AIM-ICQ Protocol Handling buffer overflow attempt"; flow:to_client,established; content:"|2A 02|"; depth:2; content:"|00 02 00 06|"; within:4; distance:4; byte_jump:1,6,relative; content:"|00 03|"; distance:4; content:"text"; within:4; distance:2; content:"|00 04|"; distance:4; byte_test:2,>,0x0100,0,relative; pcre:"/(\x25(n|t|d)\x20){85}/sm"; metadata:policy max-detect-ips drop; reference:bugtraq,14531; reference:cve,2005-2103; classtype:attempted-user; sid:17357; rev:9;)
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"PUA-OTHER mIRC PRIVMSG message processing overflow attempt"; flow:to_client,established; isdataat:317; content:"PRIVMSG"; fast_pattern:only; pcre:"/[^\x3a\s]{309}\sPRIVMSG/i"; metadata:policy max-detect-ips drop, service ircd; reference:bugtraq,31552; reference:cve,2008-4449; classtype:attempted-user; sid:15711; rev:8;)
# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-OTHER Cerulean Studios Trillian image filename handling XML tag overflow attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:4; distance:4; content:"<IMG "; nocase; pcre:"/\x3cimg[^\x3e]*src\x3d(\x22|\x27)?[^\x22\x27\s]{300}/i"; metadata:policy max-detect-ips drop; reference:cve,2008-5401; classtype:attempted-user; sid:15489; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [9090,9091] (msg:"PUA-OTHER Jive Software Openfire Jabber Server setup Authentication bypass attempt"; flow:to_server,established; content:"setup/setup-"; fast_pattern:only; pcre:"/^[A-Z]+\s+\x2Fsetup\x2Fsetup-.*?\x2E\x2E\x2F/mi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32189; reference:cve,2008-6509; classtype:attempted-admin; sid:15153; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PUA-OTHER Skype skype4com URI handler memory corruption attempt"; flow:to_client,established; file_data; content:"skype4com|3A|"; fast_pattern:only; pcre:"/skype4com\x3A[A-Z\d]{0,6}[^A-Z\d]/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26748; reference:cve,2007-5989; classtype:attempted-user; sid:13292; rev:14;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER RMS rmansys remote management tool cnc communication"; flow:to_server,established; content:"/utils/inet_id_notify.php"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:url,virustotal.com/en/file/25C444D7A7AE59DF4335D55916DFEF97A467C18BA9B0B92E2DBFFBD788206599/analysis/; classtype:misc-activity; sid:39416; rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:1;)
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER CPUMiner-Multi cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|cpuminer-multi"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,github.com/OhGodAPet/cpuminer-multi; classtype:policy-violation; sid:45550; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|xmr-stak-cpu"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/fireice-uk/xmr-stak-cpu; classtype:policy-violation; sid:45825; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMRMiner cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|XMRMiner"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/xmrig/xmrig; classtype:policy-violation; sid:45955; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Authedmine TLS client hello attempt"; flow:to_server,established; file_data; ssl_state:client_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45952; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Authedmine TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"authedmine.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45951; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Coinhive TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"coinhive.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45950; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Coinhive TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"coinhive.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:45949; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER Cryptocurrency Miner outbound connection attempt"; flow:established,to_server; content:"|7B 22|id|22 3A|"; content:"|22|jsonrpc|22 3A|"; content:"|22|method|22 3A 22|login|22 2C 22|params|22 3A 7B 22|login|22 3A|"; content:"|22|pass|22 3A|"; content:"|22|agent|22 3A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120/analysis; classtype:policy-violation; sid:46237; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Moonify TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"moonify.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:46372; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Moonify TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; content:"moonify.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:misc-attack; sid:46371; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Moonify Miner client detected"; flow:to_client,established; file_data; content:"Moonify.start"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,doc.moonify.io; classtype:misc-attack; sid:46370; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER CryptoNight webassembly download attempt"; flow:to_client,established; flowbits:isset,file.wasm; file_data; content:"cryptonight"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:misc-attack; sid:46366; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER CoinHive Miner client detected"; flow:to_client,established; file_data; content:"ASMJS_NAME"; fast_pattern:only; content:"LIB_URL"; content:"WEBSOCKET"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,coinhive.com/documentation/miner; classtype:misc-attack; sid:46365; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER obfuscated cryptomining javascript download attempt"; flow:to_client,established; file_data; content:"new Function(atob(|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/c6c5b88e5b641484c9f50f1abdbebb10e5a48db057e35cb7f556779c5684003b/; classtype:misc-attack; sid:46415; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"window._am.start()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,mineralt.io; classtype:misc-attack; sid:46414; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Mineralt JavaScript cryptocurrency mining attempt"; flow:to_client,established; file_data; content:"async class"; fast_pattern:only; pcre:"/async\s+class\s*=\s*[\x27\x22]([A-Za-z0-9+\x2f=]+|[^\x22\x27]*?\x3b\d{2,3}\x3b[01])[\x27\x22]/is"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,mineralt.io; classtype:misc-attack; sid:46413; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-OTHER Javascript obfuscated by obfuscator.io download attempt"; flow:to_client,established; file_data; content:"var _0x"; content:"["; within:10; content:"var _0x"; distance:0; content:"function"; within:30; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:46412; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PUA-OTHER Mineralt TLS server hello attempt"; flow:to_client,established; ssl_state:server_hello; isdataat:!1000; content:"mineralt.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:misc-attack; sid:46411; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-OTHER Mineralt TLS client hello attempt"; flow:to_server,established; ssl_state:client_hello; content:"mineralt.io"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ssl; classtype:misc-attack; sid:46410; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-OTHER XMRig cryptocurrency miner download attempt"; flow:to_server,established; content:"/xmrig"; fast_pattern:only; http_uri; urilen:<8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:policy-violation; sid:49111; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-OTHER XMR-Stak cryptocurrency mining pool connection attempt"; flow:to_server,established; content:"|22|method|22|"; nocase; content:"|22|agent|22|"; nocase; content:"|22|xmr-stak"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,github.com/fireice-uk/xmr-stak; classtype:policy-violation; sid:49194; rev:1;)